Upload File

random oracles in a quantum world - cs.princeton.edumzhandry/docs/talks/qrom.slides.pdf ·...

  • Home
  • Documents
  • Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur
65
Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh 1 ¨ Ozg¨ ur Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich, Switzerland 4 University of Amsterdam and CWI, The Netherlands December 5, 2011 Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Upload: phamcong

Post on 18-Jan-2019

214 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Random Oracles in a Quantum World

Dan Boneh1 Ozgur Dagdelen2 Marc Fischlin2

Anja Lehmann3 Christian Schaffner4 Mark Zhandry1

1Stanford University, USA

2CASED & Darmstadt University of Technology, Germany

3IBM Research Zurich, Switzerland

4University of Amsterdam and CWI, The Netherlands

December 5, 2011

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 2: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Classical Random Oracle Model Adversaries

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 3: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Quantum Random Oracle Model Adversaries

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 4: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Quantum Random Oracle Model (QROM)

Why quantum queries? Random oracle models hash function,which a quantum adversary can evaluate on superposition.

Because quantum adversaries can query on a superposition,classical proofs of security do not carry over to the quantumsetting.Examples:

Simulating the random oracleDetermining what points the adversary is interested inProgramming the random oracleRewinding

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 5: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Quantum Random Oracle Model (QROM)

Why quantum queries? Random oracle models hash function,which a quantum adversary can evaluate on superposition.

Because quantum adversaries can query on a superposition,classical proofs of security do not carry over to the quantumsetting.

Examples:

Simulating the random oracleDetermining what points the adversary is interested inProgramming the random oracleRewinding

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 6: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Quantum Random Oracle Model (QROM)

Why quantum queries? Random oracle models hash function,which a quantum adversary can evaluate on superposition.

Because quantum adversaries can query on a superposition,classical proofs of security do not carry over to the quantumsetting.Examples:

Simulating the random oracleDetermining what points the adversary is interested inProgramming the random oracleRewinding

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 7: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Our Results

Separation result: Scheme secure in classical ROM, butinsecure in QROM

Identification scheme

Positive result: Signature Schemes

Some classical security proofs carry over (if quantum PRFsexist).Example: Lattice-based signatures ([GPV08])Example: Specific instances of Full Domain HashGeneric Full Domain Hash is still open.

Positive result: Encryption Schemes

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 8: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Our Results

Separation result: Scheme secure in classical ROM, butinsecure in QROM

Identification scheme

Positive result: Signature Schemes

Some classical security proofs carry over (if quantum PRFsexist).Example: Lattice-based signatures ([GPV08])Example: Specific instances of Full Domain HashGeneric Full Domain Hash is still open.

Positive result: Encryption Schemes

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 9: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Our Results

Separation result: Scheme secure in classical ROM, butinsecure in QROM

Identification scheme

Positive result: Signature Schemes

Some classical security proofs carry over (if quantum PRFsexist).Example: Lattice-based signatures ([GPV08])Example: Specific instances of Full Domain HashGeneric Full Domain Hash is still open.

Positive result: Encryption Schemes

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 10: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Our Results

Separation result: Scheme secure in classical ROM, butinsecure in QROM

Identification scheme

Positive result: Signature Schemes

Some classical security proofs carry over (if quantum PRFsexist).

Example: Lattice-based signatures ([GPV08])Example: Specific instances of Full Domain HashGeneric Full Domain Hash is still open.

Positive result: Encryption Schemes

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 11: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Our Results

Separation result: Scheme secure in classical ROM, butinsecure in QROM

Identification scheme

Positive result: Signature Schemes

Some classical security proofs carry over (if quantum PRFsexist).Example: Lattice-based signatures ([GPV08])Example: Specific instances of Full Domain HashGeneric Full Domain Hash is still open.

Positive result: Encryption Schemes

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 12: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

Quantum Random Oracle ModelOur Results

Our Results

Separation result: Scheme secure in classical ROM, butinsecure in QROM

Identification scheme

Positive result: Signature Schemes

Some classical security proofs carry over (if quantum PRFsexist).Example: Lattice-based signatures ([GPV08])Example: Specific instances of Full Domain HashGeneric Full Domain Hash is still open.

Positive result: Encryption Schemes

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 13: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Preimage Sampleable Functions

A preimage sampleable trapdoor function (PSF) F is a tripleof functions (G , f , f −1):

G (1n) outputs (sk, pk)fpk(x) is efficiently computable, uniformly distributed forrandom x .f −1sk (y) samples uniformly from the set of x such thatfpk(x) = y

F = (G , f , f −1) is secure if it is one-way, collision-resistant,and has high preimage min-entropy.

Secure construction from lattices [GPV08]

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 14: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Preimage Sampleable Functions

A preimage sampleable trapdoor function (PSF) F is a tripleof functions (G , f , f −1):

G (1n) outputs (sk, pk)fpk(x) is efficiently computable, uniformly distributed forrandom x .f −1sk (y) samples uniformly from the set of x such thatfpk(x) = y

F = (G , f , f −1) is secure if it is one-way, collision-resistant,and has high preimage min-entropy.

Secure construction from lattices [GPV08]

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 15: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Preimage Sampleable Functions

A preimage sampleable trapdoor function (PSF) F is a tripleof functions (G , f , f −1):

G (1n) outputs (sk, pk)fpk(x) is efficiently computable, uniformly distributed forrandom x .f −1sk (y) samples uniformly from the set of x such thatfpk(x) = y

F = (G , f , f −1) is secure if it is one-way, collision-resistant,and has high preimage min-entropy.

Secure construction from lattices [GPV08]

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 16: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Example: GPV Signatures

Given a PSF F = (G , f , f −1), construct a signature schemeSO = (G , SO ,VO) as follows:

SOsk(m) = f −1

sk (O(m)). Remember this output for futurequeries of m

VOpk(m, σ) accepts if and only if fpk(σ) = O(m).

Theorem

Suppose F is a quantum-secure PSF, and that quantumpseudorandom functions exist. Then S is quantum secure.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 17: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Example: GPV Signatures

Given a PSF F = (G , f , f −1), construct a signature schemeSO = (G , SO ,VO) as follows:

SOsk(m) = f −1

sk (O(m)). Remember this output for futurequeries of m

VOpk(m, σ) accepts if and only if fpk(σ) = O(m).

Theorem

Suppose F is a quantum-secure PSF, and that quantumpseudorandom functions exist. Then S is quantum secure.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 18: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Example: GPV Signatures

Given a PSF F = (G , f , f −1), construct a signature schemeSO = (G , SO ,VO) as follows:

SOsk(m) = f −1

sk (O(m)). Remember this output for futurequeries of m

VOpk(m, σ) accepts if and only if fpk(σ) = O(m).

Theorem

Suppose F is a quantum-secure PSF, and that quantumpseudorandom functions exist. Then S is quantum secure.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 19: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Example: GPV Signatures

Given a PSF F = (G , f , f −1), construct a signature schemeSO = (G , SO ,VO) as follows:

SOsk(m) = f −1

sk (O(m)). Remember this output for futurequeries of m

VOpk(m, σ) accepts if and only if fpk(σ) = O(m).

Theorem

Suppose F is a quantum-secure PSF, and that quantumpseudorandom functions exist. Then S is quantum secure.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 20: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Security of GPV Signatures

Two parts:

Prove that security of a certain type of classical reduction(called history free) implies security in the quantum setting

Show that the reduction of [GPV08] is history free

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 21: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Security of GPV Signatures

Two parts:

Prove that security of a certain type of classical reduction(called history free) implies security in the quantum setting

Show that the reduction of [GPV08] is history free

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 22: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Security of GPV Signatures

Two parts:

Prove that security of a certain type of classical reduction(called history free) implies security in the quantum setting

Show that the reduction of [GPV08] is history free

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 23: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 24: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 25: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 26: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 27: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 28: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 29: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 30: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 31: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Classical RO Techniques:

Simulating the random oracle.

Use a random oracle.

Determine what points the adversary is querying the oracleon.

Not allowed.

Programming the random oracle.

Only non-adaptively (i.e. no knowledge of previous queries)

Rewinding

Not allowed.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 32: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Reduction algorithm has private random oracle Oc

Implemented on the fly

Random oracle queries answered by RandOc

Truly random

Signatures answered by SignOc

Consistent with random oracleDistribution identical to actual

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 33: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Reduction algorithm has private random oracle Oc

Implemented on the fly

Random oracle queries answered by RandOc

Truly random

Signatures answered by SignOc

Consistent with random oracleDistribution identical to actual

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 34: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Reduction algorithm has private random oracle Oc

Implemented on the fly

Random oracle queries answered by RandOc

Truly random

Signatures answered by SignOc

Consistent with random oracleDistribution identical to actual

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 35: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History-free Reduction

Reduction algorithm has private random oracle Oc

Implemented on the fly

Random oracle queries answered by RandOc

Truly random

Signatures answered by SignOc

Consistent with random oracleDistribution identical to actual

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 36: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

(Classical) History Free Reduction

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 37: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Main Theorem

Theorem

Suppose a random oracle model signature scheme S has ahistory-free reduction that transforms any classical adversary Ainto a classical algorithm B for some hard problem for quantumcomputers. Suppose further that quantum pseudorandomfunctions exist. Then S is secure against quantum adversaries.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 38: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Proof

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 39: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Proof

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 40: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Problem

Quantum adversary could query on a superposition ofexponentially many inputs.

Results in queries to Oq on exponential superposition.

Implementing the random oracle would require exponentialrandomness.

Idea: Use a quantum pseudorandom function

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 41: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Problem

Quantum adversary could query on a superposition ofexponentially many inputs.

Results in queries to Oq on exponential superposition.

Implementing the random oracle would require exponentialrandomness.

Idea: Use a quantum pseudorandom function

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 42: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Problem

Quantum adversary could query on a superposition ofexponentially many inputs.

Results in queries to Oq on exponential superposition.

Implementing the random oracle would require exponentialrandomness.

Idea: Use a quantum pseudorandom function

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 43: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Problem

Quantum adversary could query on a superposition ofexponentially many inputs.

Results in queries to Oq on exponential superposition.

Implementing the random oracle would require exponentialrandomness.

Idea: Use a quantum pseudorandom function

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 44: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Quantum PRF

A quantum pseudorandom function PRF is a keyed function thatquantum computers cannot tell from a random oracle. Precisely,for all polynomial-time quantum oracle algorithms A,∣∣∣Pr[APRFk () = 1]− Pr[AOq() = 1]

∣∣∣ < negl

Where the left probability is over k and the right is over Oq, bothchosen randomly.

No known provably secure constructions!

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 45: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Quantum PRF

A quantum pseudorandom function PRF is a keyed function thatquantum computers cannot tell from a random oracle. Precisely,for all polynomial-time quantum oracle algorithms A,∣∣∣Pr[APRFk () = 1]− Pr[AOq() = 1]

∣∣∣ < negl

Where the left probability is over k and the right is over Oq, bothchosen randomly.

No known provably secure constructions!

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 46: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Proof

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 47: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Proof

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 48: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

GPV Reduction

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 49: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Modified GPV Reduction

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 50: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

History-Freeness of GPV Reduction

This reduction is in history-free form!

Caveats:

fpk(r) for random r is NOT truly random for GPVconstruction.

GPV signatures are NOT truly random preimages of O(m)

Need to relax definition of history freeness to allowindistinguishable (by quantum adversaries)

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 51: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

History-Freeness of GPV Reduction

This reduction is in history-free form!

Caveats:

fpk(r) for random r is NOT truly random for GPVconstruction.

GPV signatures are NOT truly random preimages of O(m)

Need to relax definition of history freeness to allowindistinguishable (by quantum adversaries)

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 52: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

History-Freeness of GPV Reduction

This reduction is in history-free form!

Caveats:

fpk(r) for random r is NOT truly random for GPVconstruction.

GPV signatures are NOT truly random preimages of O(m)

Need to relax definition of history freeness to allowindistinguishable (by quantum adversaries)

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 53: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Other History-Free Reductions

Full Domain Hash from claw-free permutations ([Cor00]).

Katz-Wang Signatures (KW03)

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 54: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Encryption

History-freeness complicated by the challenge query. Easier toprove directly.

CPA-security of Bellare-Rogaway encryption scheme ([BR93]):

Epk(m) = fpk(r)||m ⊕ O(r) for a random r

where f is a trapdoor permutation.

CCA-security of hybrid encryption scheme:

Epk(m) = fpk(r)|| (ES)O(r) (m) for a random r

where f is a trapdoor permutation and ES is CCA-secureprivate key encryption.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 55: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Encryption

History-freeness complicated by the challenge query. Easier toprove directly.

CPA-security of Bellare-Rogaway encryption scheme ([BR93]):

Epk(m) = fpk(r)||m ⊕ O(r) for a random r

where f is a trapdoor permutation.

CCA-security of hybrid encryption scheme:

Epk(m) = fpk(r)|| (ES)O(r) (m) for a random r

where f is a trapdoor permutation and ES is CCA-secureprivate key encryption.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 56: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Encryption

History-freeness complicated by the challenge query. Easier toprove directly.

CPA-security of Bellare-Rogaway encryption scheme ([BR93]):

Epk(m) = fpk(r)||m ⊕ O(r) for a random r

where f is a trapdoor permutation.

CCA-security of hybrid encryption scheme:

Epk(m) = fpk(r)|| (ES)O(r) (m) for a random r

where f is a trapdoor permutation and ES is CCA-secureprivate key encryption.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 57: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

SignaturesEncryption Schemes

Encryption

History-freeness complicated by the challenge query. Easier toprove directly.

CPA-security of Bellare-Rogaway encryption scheme ([BR93]):

Epk(m) = fpk(r)||m ⊕ O(r) for a random r

where f is a trapdoor permutation.

CCA-security of hybrid encryption scheme:

Epk(m) = fpk(r)|| (ES)O(r) (m) for a random r

where f is a trapdoor permutation and ES is CCA-secureprivate key encryption.

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 58: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Conclusion

Classical security reductions do not carry over to the quantumworld

Restricted class of classical security proofs do imply quantumsecurity

GPV Signatures are secure

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 59: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Conclusion

Classical security reductions do not carry over to the quantumworld

Restricted class of classical security proofs do imply quantumsecurity

GPV Signatures are secure

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 60: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Conclusion

Classical security reductions do not carry over to the quantumworld

Restricted class of classical security proofs do imply quantumsecurity

GPV Signatures are secure

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 61: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Conclusion

Classical security reductions do not carry over to the quantumworld

Restricted class of classical security proofs do imply quantumsecurity

GPV Signatures are secure

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 62: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Open Problems

Generic Full Domain Hash

Signatures from Identification Protocols [FS86]

CCA-security from weaker security notions [FO99]

Quantum PRFs from one-way functions

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 63: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Open Problems

Generic Full Domain Hash

Signatures from Identification Protocols [FS86]

CCA-security from weaker security notions [FO99]

Quantum PRFs from one-way functions

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 64: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Open Problems

Generic Full Domain Hash

Signatures from Identification Protocols [FS86]

CCA-security from weaker security notions [FO99]

Quantum PRFs from one-way functions

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Page 65: Random Oracles in a Quantum World - cs.princeton.edumzhandry/docs/talks/QROM.slides.pdf · Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh1 Ozgur

IntroductionPositive Results

Conclusion

ConclusionOpen Problems

Open Problems

Generic Full Domain Hash

Signatures from Identification Protocols [FS86]

CCA-security from weaker security notions [FO99]

Quantum PRFs from one-way functions

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World


Non-interactive zero-knowledge with quantum random oracles

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Incubation Oracles

Short Signatures Without Random Oracles and the SDH ...crypto.stanford.edu/~dabo/papers/bbsigs.pdf · Short Signatures Without Random Oracles and the ... random oracle model.

Ring Signatures of Sub-linear Size without Random Oracles

Efficient Ring Signatures Without Random Oracles

Quantum Oracles

Limits of Random Oracles in Secure Computation

LNCS 1294 - Towards Realizing Random Oracles: Hash ...courses.csail.mit.edu/6.885/spring05/papers/canetti-crypto97.pdf · Towards Realizing Random Oracles: Hash Functions That Hide

Modeling Random Oracles under Unpredictable Queries · Modeling Random Oracles under Unpredictable Queries ... but is not useful in the context of hashing as the hash key is ... Hash

Short Signatures Without Random Oracles and the SDH ...dabo/pubs/papers/bbsigs.pdfShort Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups Dan Boneh y Xavier

1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters

Introduction to cryptology (GBIN8U16) 93 Hash functions · Hash functions 2018{02 4/27 Idealized hash functions: Random oracles Random oracle A function H ∶M →D s.t. ∀x ∈M,

Random Oracles in a Quantum World · Random Oracles in a Quantum World Dan Boneh1, Ozgur Dagdelen 2, Marc Fischlin , Anja Lehmann3, Christian Scha ner4, and Mark Zhandry1 1 Stanford

Random Oracles are Practicalmihir/papers/ro.pdf · 1998-07-30 · Random Oracles are Practical: AP aradigm for Designing E cien t Proto cols Mihir Bellare y Phillip R oga w a y Octob

Random Oracles and Non-Uniformitydodis/ps/presampling.pdfRandom Oracles and Non-Uniformity Sandro Coretti∗ New York University [email protected] Yevgeniy Dodis† New York University

Short Signatures Without Random Oracles and the SDH

Random Oracles and Non-Uniformity · Random Oracles and Non-Uniformity Sandro Coretti 1, Yevgeniy Dodis , Siyao Guo2, and John Steinberger3 1 New York University fcorettis,[email protected]

Fully Secure Multi-authority Ciphertext -Policy Attribute-Based Encryption without Random Oracles

Portable Oracles

Classical vs Quantum Random Oracles

Mountain Oracles

Average Dependence and Random Oracles (Preliminary Report)

Random Oracles in a Quantum World - arXivaccess to the random oracle. In this model the adversary is given oracle access to a random hash function O: {0,1}∗ →{0,1}∗ and it can

Bd oracles

Secure Identity Based Encryption Without Random Oraclesrobotics.stanford.edu/~xb/crypto04b/sibewro.pdf · Secure Identity Based Encryption Without Random Oracles Dan Boneh∗ [email protected]

Zoroastre Oracles

Complexity Theory Column 89: The Polynomial …theory.stanford.edu › ~liyang › sigact.pdfComplexity Theory Column 89: The Polynomial Hierarchy, Random Oracles, and Boolean Circuits1

Oracles Ql

Oracles Commitment

Toward RSA-OAEP without Random OraclesToward RSA-OAEP without Random Oracles Nairen Cao1 Adam O’Neill2 Mohammad Zaheri3 February 11, 2020 In Memoriam: John C. O’Neill (1953{2018)

Sequential Aggregate Signatures and Multisignatures Without Random Oracles

Short Signatures Without Random Oracles and the SDH ...ai.stanford.edu/~xb/joc07/bbsigs.pdfShort Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups ∗ Dan

Formalizing Group Blind Signatures and Practical ... · FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi [email protected]

The Wonderful World of Global Random Oracles · The Wonderful World of Global Random Oracles ... the environment’s random-oracle queries, ... number of truly practical constructions