![Page 1: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/1.jpg)
How$to$Record$Quantum$Queries$and$Applications$to$Quantum$Indifferentiability
Mark%Zhandry
Princeton%University%&%NTT%Research
![Page 2: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/2.jpg)
This%talk ∑αxωNxy
Me
![Page 3: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/3.jpg)
The$(Classical)$Random$Oracle$Model$(ROM)
Cryptosystem
hash%
function
[Bellare@Rogaway’93]
![Page 4: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/4.jpg)
The$(Classical)$Random$Oracle$Model$(ROM)
Cryptosystem
H
[Bellare@Rogaway’93]
![Page 5: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/5.jpg)
Typical$ROM$Proof:$OnBtheBfly$Simulation
HInput Output
x1 y1x2 y2x3 y3x4 y4
Query(x, D):If%(x,y)�D:
Return(y,D)Else:
y !$ YD’ = D+(x,y) Return(y,D’)
![Page 6: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/6.jpg)
Typical$ROM$Proof:$OnBtheBfly$Simulation
Allows%us%to:
• Know%the%inputs%adversary%cares%about �
• Know%the%corresponding%outputs �
• (Adaptively)%program%the%outputs �
• Easy%analysis%of%bad%events%(e.g.%collisions) �
![Page 7: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/7.jpg)
The$Quantum$Random$Oracle$Model$(QROM)[Boneh@Dagdelen@Fischlin@Lehmann@Schaffner@Z’11]
H
Now%standard%in%post@quantum%crypto
![Page 8: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/8.jpg)
Input Output
x1 y1x2 y2x3 y3x4 y4
Problem$with$Classical$Proofs$in$QROM
How%do%we%record%
the%x values?
![Page 9: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/9.jpg)
Problem$with$Classical$Proofs$in$QROM
Observer.Effect:Learning%anything%about%quantum%system%disturbs%it
Reduction%must%answer%obliviously,%too?
Hanswers%obliviously,%so%no%disturbance
![Page 10: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/10.jpg)
Typical$QROM$Proof
H H
H fixed%once%and%for%all%at%beginning
![Page 11: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/11.jpg)
Limitations
Allows%us%to:
• Know%the%inputs%adversary%cares%about? �
• Know%the%corresponding%outputs? �
• (Adaptively)%program%the%outputs? �/�
• Easy%analysis%of%bad%events%(e.g.%collisions)?�
![Page 12: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/12.jpg)
Bad.News: Still%some%major%holdouts
Limitations
Good.News:.Numerous%positive%results%(30+%papers)
Indifferentiable
domain%extension Fiat@
ShamirLuby@Rackoff
ROM%" ICM
![Page 13: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/13.jpg)
Example:$Domain$Extension$for$Random$Oracles
Q:.Does%Merkle@Damgård preserve%random%oracle@ness?
h h h hIV
x1 x2 x3 x4
MDh
![Page 14: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/14.jpg)
H
Example:$Domain$Extension$for$Random$Oracles
A: Yes(ish)%[Coron@Dodis@Malinaud@Puniya’05]
How?%Indifferentiability [Maurer@Renner@Holenstein’04]
MD
Real%World
Sim
Ideal%World
h
Thm [Ristenpart@Shacham@Shrimpton’11]:%
Indifferentiability� as%good%as%RO%for%“single%stage%games”%
≈
![Page 15: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/15.jpg)
Hh
Quantum$Indifferentiability?
MD
Real%World
Sim
Ideal%World
Concurrently%considered%by%[Carstens@Ebrahimi@Tabia@Unruh’18]
![Page 16: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/16.jpg)
Quantum$Indifferentiability?
Easy.Thm:Stateless%simulation%for%domain%extension%is%
impossible,%classically%or%quantumly
Proof.idea:.Compress%truth%table%of%random%H
![Page 17: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/17.jpg)
Quantum$Indifferentiability?
Easy.Thm:Stateless%simulation%for%domain%extension%is%
impossible,%classically%or%quantumly
Proof.idea:.Compress%truth%table%of%random%H
Are%we%
toast?
![Page 18: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/18.jpg)
This$Work:$OnBtheBfly$simulation$of$quantum$random$oracles
(aka$Compressed$Oracles)
![Page 19: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/19.jpg)
Step$1:$QuantumBify (aka$Purify)
HH
measurement
Measuring%purified%state%%%%%%%uniform%distribution%
![Page 20: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/20.jpg)
Step$1:$QuantumBify (aka$Purify)
HInitial%oracle%state:%%H
Query(x, y, H): y = y�H(x)
Adversary’s%query
Oracle’s%state
![Page 21: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/21.jpg)
Reciprocity$(Newton’s$Third$Law$of$Quantum)Wave/particle duality:.
Quantum states%%%%%%%%%%signals
Reciprocity:System%A acts%on%system%B in%Primal
System%B acts%on%system%A in%Fourier
Proof:
A
A-T
Fourier%
Transform
•Used%in%old%impossibilities%for%unconditional%quantum%
protocols%[Lo’97,Lo@Chau’97,Mayers’97,Nayak’99]
• Idea%behind%quantum%Auth Enc
[Barnum@Crepeau@Gottesman@Smith@Tapp’02]
![Page 22: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/22.jpg)
Step$2:$Look$at$Fourier$Domain
HĤ
![Page 23: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/23.jpg)
Step$2:$Look$at$Fourier$Domain
Initial%oracle%state:%Z(x) = 0
Query(x, y, Ĥ): Ĥ = Ĥ�Px,y
Px,y(x’) = y if%x=x’0 else
Ĥ
![Page 24: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/24.jpg)
D
Step$3:$Compress
Ĥ
Observation:After%q queries,%Ĥ is%non@zero%on%at%most%q points%
^
![Page 25: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/25.jpg)
Step$3:$Compress
Initial%oracle%state:%{}Query(x, y, D): (1)%If%�(x,y’)�D: D = D+(x,0)
(2)%Replace%(x,y’)�D with%(x,y’�y)
(3)%If%(x,0)�D: remove%it
^^ ^ ^
^
^
D̂
![Page 26: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/26.jpg)
Step$3:$Compress
D̂
Input ?????
x1 z1x2 z2x3 z3x4 z4
![Page 27: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/27.jpg)
Step$3:$Compress
D̂
Input ?????
x1 z1x2 z2x3 z3x4 z4
Points%adversary%cares%about
![Page 28: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/28.jpg)
Step$4:$Revert$back$to$Primal$Domain
D̂D
![Page 29: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/29.jpg)
Input Output
x1 y1x2 y2x3 y3x4 y4
Step$4:$Revert$back$to$Primal$Domain
Points%adversary%cares%about
D
![Page 30: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/30.jpg)
Input Output
x1 y1x2 y2x3 y3x4 y4
Step$4:$Revert$back$to$Primal$Domain
Points%adversary%cares%about ≈Corresponding%outputs
D
![Page 31: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/31.jpg)
Input Output
x1 y1x2 y2x3 y3x4 y4
Step$4:$Revert$back$to$Primal$Domain
Points%adversary%cares%about ≈Corresponding%outputs
D
Roughly%analogous%
to%classical%on@the@
fly%simulation
Main.Difference:Occasional%erasure
![Page 32: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/32.jpg)
Compressed$Oracles
Allows%us%to:
• Know%the%inputs%adversary%cares%about? �
• Know%the%corresponding%outputs? �
• (Adaptively)%program%the%outputs? �
• Easy%analysis%of%bad%events%(e.g.%collisions)?�Fixed%by%[Don@Fehr@Majenz@Schaffner’19,Liu@Z’19],%later%this%session!
![Page 33: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/33.jpg)
So,$what$happened?
Recall…
Observer.Effect:Learning%anything%about%quantum%system%disturbs%it
gets%disturbedH
Hlearns%about%%%%%%%%%%%%through%queries
Compressed%oracles%decode%such%disturbance
![Page 34: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/34.jpg)
Caveats
But,0still0good0enough0for0many0applications…
Outputs%in%database%≠0 in%Fourier%domain
y values%aren’t%exactly%query%outputs
Examining%x,y values%perturbs%state
Still%must%be%careful%about%how%we%use%them
![Page 35: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/35.jpg)
Applications$In$This$Work
Quantum%Indiff.%of%
Merkle@Damgård
Easily%re@prove%quantum%lower%bounds:
Ω(N1/2) queries%needed%for%Grover%searchΩ(N1/3) queries%needed%for%collision%findingΩ(N1/(k+1)) queries%needed%for%k@SUM
CCA@security%of%plain%
Fujisaki@Okamoto
![Page 36: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/36.jpg)
Further$Applications
[Alagic@Majenz@Russell@Song’18]:%
Quantum@secure%signature%separation
[Liu@Z’19a]:%Tight%bounds%for%
multi@collision%problem
[Liu@Z’19b]:%Fiat@Shamir
(%[Don@Fehr@Majenz@Schaffner’19]:%direct%proof%)
[Czajkowski@Majenz@Schaffner@Zur’19]:%
Indifferentiability of%Sponge
[Hosoyamada@Iwata’19]:%
4@round%Luby@Rackoff
[Bindel@Hamburg@Hülsing@Persichetti’19]:%
Tighter%CCA%security%proofs
[Chiesa@Manohar@Spooner’19]:%
zk@SNARKs
![Page 37: Indiff-crypto 16x9 2pdfmzhandry/docs/talks/QIndiff.slides.pdf · Indiff-crypto 16x9 2pdf Author: Mark Zhandry Created Date: 9/6/2019 12:27:22 AM](https://reader034.vdocuments.pub/reader034/viewer/2022051322/6038dca57e635e2fb306fd13/html5/thumbnails/37.jpg)
Lessons$Learned
Always%purify%your%oracles!