Online-Extractability in the Quantum Random-Oracle Model

We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value t that is promised to be in some tight relation with H(x) for some x, then x can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e., without rewinding, and on-the-fly, i.e., during the protocol execution and without disturbing it. The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts x. We show two applications of our generic online extractability result. We show tight online extractability of commit-and-open Σ-protocols in the quantum setting, and we offer the first complete post-quantum security proof of the textbook Fujisaki-Okamoto transformation, i.e, without adjustments to facilitate the proof, including concrete security bounds.

[1]  Michael Hamburg,et al.  Tighter proofs of CCA security in the quantum random oracle model , 2019, IACR Cryptol. ePrint Arch..

[2]  Shuichi Katsumata,et al.  Scalable Ciphertext Compression Techniques for Post-Quantum KEMs and their Applications , 2020, IACR Cryptol. ePrint Arch..

[3]  Mark Zhandry,et al.  How to Record Quantum Queries, and Applications to Quantum Indifferentiability , 2019, IACR Cryptol. ePrint Arch..

[4]  Dominique Unruh,et al.  Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms , 2016, TCC.

[5]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[6]  Mark Zhandry,et al.  On Finding Quantum Multi-collisions , 2018, IACR Cryptol. ePrint Arch..

[7]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[8]  Alexander Russell,et al.  Quantum-Access-Secure Message Authentication via Blind-Unforgeability , 2020, EUROCRYPT.

[9]  Dominique Unruh,et al.  Revocable Quantum Timed-Release Encryption , 2014, J. ACM.

[10]  Mark Zhandry,et al.  Revisiting Post-Quantum Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[11]  Andris Ambainis,et al.  Quantum security proofs using semi-classical oracles , 2019, IACR Cryptol. ePrint Arch..

[12]  Dominique Unruh,et al.  Quantum Proofs of Knowledge , 2012, IACR Cryptol. ePrint Arch..

[13]  Isaac L. Chuang,et al.  Quantum Computation and Quantum Information (10th Anniversary edition) , 2011 .

[14]  Yassine Hamoudi,et al.  Quantum Time–Space Tradeoff for Finding Multiple Collision Pairs , 2020, TQC.

[15]  Mark Zhandry,et al.  A note on the quantum collision and set equality problems , 2013, Quantum Inf. Comput..

[16]  Peter Manohar,et al.  Succinct Arguments in the Quantum Random Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[17]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[18]  Andr'e Chailloux Tight quantum security of the Fiat-Shamir transform for commit-and-open identification schemes with applications to post-quantum signature schemes. , 2019 .

[19]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[20]  Kai-Min Chung,et al.  On the Compressed-Oracle Technique, and Post-Quantum Security of Proofs of Sequential Work , 2020, IACR Cryptol. ePrint Arch..

[21]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[22]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[23]  Serge Fehr,et al.  The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More , 2020, IACR Cryptol. ePrint Arch..

[24]  Gilles Brassard,et al.  Quantum cryptanalysis of hash and claw-free functions , 1997, SIGA.

[25]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[26]  Christian Schaffner,et al.  Quantum Lazy Sampling and Game-Playing Proofs for Quantum Indifferentiability , 2019, IACR Cryptol. ePrint Arch..

[27]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[28]  Peter Schwabe,et al.  From 5-Pass MQ -Based Identification to MQ -Based Signatures , 2016, ASIACRYPT.

[29]  Kathrin Hövelmanns,et al.  Tight adaptive reprogramming in the QROM , 2020, IACR Cryptol. ePrint Arch..

[30]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[31]  Tatsuaki Okamoto,et al.  How to Enhance the Security of Public-Key Encryption at Minimum Cost , 1999, Public Key Cryptography.

[32]  Daniel Kales,et al.  Improving the Performance of the Picnic Signature Scheme , 2020, IACR Cryptol. ePrint Arch..

[33]  Rafael Pass,et al.  Alternative variants of zero-knowledge proofs , 2004 .