Abstract
We revisit the so-called compressed oracle technique, introduced by Zhandry for analyzing quantum algorithms in the quantum random oracle model (QROM). To start off with, we offer a concise exposition of the technique, which easily extends to the parallel-query QROM, where in each query-round the considered algorithm may make several queries to the QROM in parallel. This variant of the QROM allows for a more fine-grained query-complexity analysis.
Our main technical contribution is a framework that simplifies the use of (the parallel-query generalization of) the compressed oracle technique for proving query complexity results. With our framework in place, whenever applicable, it is possible to prove quantum query complexity lower bounds by means of purely classical reasoning. More than that, for typical examples the crucial classical observations that give rise to the classical bounds are sufficient to conclude the corresponding quantum bounds.
We demonstrate this on a few examples, recovering known results but also obtaining new results. Our main target is the hardness of finding a q-chain with fewer than q parallel queries, i.e., a sequence \(x_0, x_1,\ldots , x_q\) with \(x_i = H(x_{i-1})\) for all \(1 \le i \le q\).
The above problem of finding a hash chain is of fundamental importance in the context of proofs of sequential work. Indeed, as a concrete cryptographic application of our techniques, we prove quantum security of the “Simple Proofs of Sequential Work” by Cohen and Pietrzak .
This research is partially supported by Ministry of Science and Technology, Taiwan, under Grant no. MOST 109-2223-E-001 -001 -MY3, MOST QC project, under Grant no. MOST 109-2627-M-002-003 -, and Executive Yuan Data Safety and Talent Cultivation Project (AS-KPQ-110-DSTCP).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The problem of finding a q-chain looks similar to the iterated hashing studied in [18]; however, a crucial difference is that the start of the chain, \(x_0\), is freely chosen here.
- 2.
We stress that we define \(D[x \!\mapsto \! y]\) also for x with \(D(x) \ne \bot \), which then means that D is redefined at point x; this will be useful later.
- 3.
In line with Remark 2, we consider \(\mathsf {P}|_{D|^\mathbf{x}}\) to be a projection acting on \({\mathbb {C}}[\bar{\mathcal{Y}}^k]\), and thus \(\mathsf {I}\) in the last term is the identity in \(\mathcal {L}({\mathbb {C}}[\bar{\mathcal{Y}}^k])\).
- 4.
In more detail, \(\mathsf {L}_x|_{D|^\mathbf{x}}=\{0\}\) whenever \(x \in \{x_1,\ldots ,x_k\}\), and otherwise it is constant true if \(D(x) = 0\) and constant false if \(D(x) \ne 0\).
- 5.
By a subtree of \(G_{n}^{\mathsf {PoSW}}\) we mean a subgraph of \(G_{n}^{\mathsf {PoSW}}\) that is a subtree of the complete binary tree \(B_n\) when restricted to edges in \(E'_n\). We are also a bit sloppy with not distinguishing between the graph T and the vertices of T.
References
Ambainis, A.: Polynomial degree and lower bounds in quantum complexity: collision and element distinctness with small range. Theor. Comput. 1(1), 37–46 (2005)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: First ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)
Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997)
Blocki, J., Lee, S., Zhou, S.: On the security of proofs of sequential work in a post-quantum world. arXiv/cs.CR, Report 2006.10972 (2020). https://arxiv.org/abs/2006.10972
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Brassard, G., Hoyer, P., Tapp, A.: Quantum algorithm for the collision problem. arXiv/quant-ph, Report 9705002 (1997). https://arxiv.org/abs/quant-ph/9705002
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM (JACM) 51(4), 557–594 (2004)
Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_1
Chung, K.M., Fehr, S., Huang, Y.H., Liao, T.N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. Cryptology ePrint Archive, Report 2020/1305 (2020). https://eprint.iacr.org/2020/1305
Cohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15
Czajkowski, J., Majenz, C., Schaffner, C., Zur, S.: Quantum lazy sampling and game-playing proofs for quantum indifferentiability. arXiv/quant-ph, Report 1904.11477 (2019). https://arxiv.org/abs/1904.11477
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)
Hamoudi, Y., Magniez, F.: Quantum time-space tradeoffs by recording queries. arXiv/quant-ph, Report 2002.08944 (2020). https://arxiv.org/abs/2002.08944
Hosoyamada, A., Iwata, T.: 4-round luby-rackoff construction is a qPRP. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 145–174. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_6
Jeffery, S., Magniez, F., de Wolf, R.: Optimal parallel quantum query algorithms. Algorithmica 79(2), 509–529 (2017)
Liu, Q., Zhandry, M.: Revisiting post-quantum fiat-shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12
Unruh, D.: Revocable quantum timed-release encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 129–146. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_8
Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60, 2746–2751 (1999). https://doi.org/10.1103/PhysRevA.60.2746
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgements
We thank Jeremiah Blocki, Seunghoon Lee, and Samson Zhou for the open discussion regarding their work [4], which achieves comparable results for the hash-chain problem and the Simple PoSW scheme.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Chung, KM., Fehr, S., Huang, YH., Liao, TN. (2021). On the Compressed-Oracle Technique, and Post-Quantum Security of Proofs of Sequential Work. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)
