HIPÓTESIS:

One archetypical example of where the QS1 principle comes into play is the Quantum Random Oracle Model (QROM). Recall that, in QS0, the Random Oracle Model (ROM) is a computation model where all parties have access to an oracle Ohcomputing a functionh picked uniformly at random from the set

of all functions from some domain X to some range Y. This model is useful when analyzing the security of schemes employing PRFs or hash functions. In other words, the (truly) random functionh is just an abstraction, or a model, for a real-world functiong which we assume behaving like a random function. But this also means that the random oracle O_h itself is an abstract model for the computation of the real-world, algorithmic function g, performed on

4.2. The Quantum Random Oracle Model 75

some computer. And since the code for g is public, and can be run by any- one (after all, in the ROM the access to O_h is given to every participant in the scheme because of this reason), it is necessary to assume that a quantum adversary could implement the circuit computing g on his quantum com- puter, therefore being able to queryg quantumly. Therefore, in the Quantum Random Oracle Model (QROM), the random oracle O_hmust be replaced by a quantum random oracle |Ohi. It is important to stress the fact that there exist

models where security is proven in the random oracle model against quantum adversaries. We strongly argue against the use of the term ‘post-quantum’ when referring to those models.

So, in other words, in QS1 the ROM must be replaced by the QROM, where every QPT algorithm has access to a quantum oracle:

|Ohi : |x, yi 7→ |x, y ⊕ h(x)i .

and where h is chosen uniformly at random from the set of all functions from X to Y, as in the random oracle model.

QROM Emulation

Notice the following difficulty when defining the QROM operationally. Classi- cally, as explained in Section 2.3, during a cryptographic reduction a random oracle is emulated by a PPT algorithm, for example through lazy sampling. But lazy sampling cannot work for quantum random oracles, for two reasons. First of all, a single quantum query to |O_hi could require the emulator to lazy-sample too many elements. E.g., a query of the form:

X

x∈{0,1}n 1 √

2n|x, 0i

would query all the exponentially-many input values at once, and so it would ‘force’ the emulator to ‘fix’ all those values at the same time. This is not compatible with what we require from an efficient cryptographic reduction.

The second problem is that the concept of lookup table, used in the clas- sical ROM to answer consistently with the previous queries, becomes mean- ingless. Firstly because such table could quickly reach exponential size, as the previous query example shows; and secondly because, as discussed in Sec- tion4.1, there might be no way to check whether the values of some query are in the table or not without destroying the query.

Luckily, there exist a few other techniques to solve the above issues and to make the QROM a meaningful tool in QS1. If the number of queries performed by the adversary to the QRO is known a priori, then the QRO can be efficiently emulated by d-wise independent functions. These are fami- lies of functions that are statistically indistinguishable from random functions if queried (classically) no more than d times. An example are polynomial

76 Chapter 4. QS1: Post-Quantum Security

functions of degree d − 1. It is known [Zha12b] that no quantum algorithm performing at most q queries can distinguish between random oracles and distributions of 2q-wise independent functions.

Another common technique is to emulate a RO with a PRF, which is useful if one does not know a priori an upper bound to the number of adversarial queries. In the QROM we need something analogous, but classical PRFs alone cannot work. One idea might be to use post-quantum PRFs (we will define them in the next section), but actually for emulating a QRO, classical access to the PRF is not enough, so we need something more: quantum-secure (superposition-secure) PRFs will be defined in the next chapter.

QROM Reprogramming

It is important to analyze what happens when reprogramming a quantun random oracle |O_hi. In particular, a useful technique often consists in injecting some fixed value y for a subset S ⊂ X of possible input query values, so that h(x) := y for all x ∈ S. Intuitively, if the set S is ‘very small’, it is going to be very hard for a quantum algorithm to distinguish the modified oracle from a true QRO. However, some proofs might rely explicitly on the probability of the adversary querying one of those values, so it is important to have a detailed quantitative analysis for these probabilities.

We start by recalling [Zha12a] a tool known as semi-constant distributions. Definition 4.2 (Semi-Constant Distributions). Let H := {h : X → Y} be the family of functions between sets X and Y, and let δ ∈ [0, 1]. We define the δ-fraction semi-constant distribution Uδ as the distribution over H resulting from the following procedure:

1: sample y $ ←− Y 2: for all x ∈ X do 3: p $ ←− [0, 1] 4: if p ≤ δ then 5: define h(x) := y 6: else 7: sample y0 $ ←− Y 8: define h(x) := y0 9: Return: h

Notice that U0 is the uniform distribution, while U1 is a constant distribu- tion. Also note that the distribution, when used within an oracle, is consistent in the sense that the settings are chosen once at the outset. We will use this definition to describe a QRO which has been ‘reprogrammed’ on a fraction δ of its possible inputs. The following lemma [Zha12b] gives an upper bound on the probability that a quantum algorithm’s behavior changes when switching from a truly QRO to a quantum oracle for a function drawn from Uδ in terms of statistical distance.