A Note on Quantum Security for Post-Quantum Cryptography
Shor’s quantum factoring algorithm and a few other efficient quantum algorithms break many classical crypto-systems. In response, people proposed post-quantum cryptography based on computational problems that are believed hard even for quantum computers. However, security of these schemes against quantum attacks is elusive. This is because existing security analysis (almost) only deals with classical attackers and arguing security in the presence of quantum adversaries is challenging due to unique quantum features such as no-cloning.
This work proposes a general framework to study which classical security proofs can be restored in the quantum setting. Basically, we split a security proof into (a sequence of) classical security reductions, and investigate what security reductions are “quantum-friendly”. We characterize sufficient conditions such that a classical reduction can be “lifted” to the quantum setting.
We then apply our lifting theorems to post-quantum signature schemes. We are able to show that the classical generic construction of hash-tree based signatures from one-way functions and and a more efficient variant proposed in  carry over to the quantum setting. Namely, assuming existence of (classical) oneway functions that are resistant to efficient quantum inversion algorithms, there exists a quantum-secure signature scheme. We note that the scheme in  is a promising (post-quantum) candidate to be implemented in practice and our result further justifies it. Actually, to obtain these result, we formalize a simple criteria, which is motivated by many classical proofs in the literature and is straightforward to check. This makes our lifting theorem easier to apply, and it should be useful elsewhere to prove quantum security of proposed post-quantum cryptographic schemes. Finally we demonstrate the generality of our framework by showing that several existing works (Full-Domain hash in the quantum randomoracle model  and the simple hybrid arguments framework in ) can be reformulated under our unified framework.
KeywordsSignature Scheme Random Oracle Security Proof Classical Security Lift Theorem
Unable to display preview. Download preview PDF.
- 4.Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)Google Scholar
- 6.Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-quantum cryptography. Springer (2009)Google Scholar
- 15.Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (2011)Google Scholar
- 19.van de Graaf, J.: Towards a formal definition of security for quantum protocols. PhD thesis, Départment d’informatique et de recherche opérationnelle, Université de Montréal (1997)Google Scholar
- 21.Halevi, S.: A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181 (2005)Google Scholar
- 25.Katz, J., Koo, C.Y.: On constructing universal one-way hash functions from arbitrary one-way functions. IACR Cryptology ePrint Archive 2005, 328 (2005)Google Scholar
- 26.Katz, J., Lindell, Y.: Introduction to modern cryptography: principles and protocols. CRC Press (2007)Google Scholar
- 28.Lamport, L.: Constructing digital signatures from a one-way function. Tech. Report: SRI International Computer Science Laboratory (1979)Google Scholar
- 32.Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
- 33.Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-quantum cryptography, pp. 147–191. Springer (2009)Google Scholar
- 35.Pass, R.: Limits of provable security from standard assumptions. In: Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing, pp. 109–118. ACM (2011)Google Scholar
- 37.Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, pp. 387–394. ACM (1990)Google Scholar
- 38.Sendrier, N.: Code-based cryptography. In: Encyclopedia of Cryptography and Security, pp. 215–216. Springer (2011)Google Scholar
- 40.Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2005)Google Scholar
- 45.Yao, A.C.: Theory and application of trapdoor functions. In: 23rd Annual Symposium on Foundations of Computer Science, SFCS 2008, pp. 80–91. IEEE (1982)Google Scholar
- 46.Zhandry, M.: How to construct quantum random functions. In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science (FOCS), pp. 679–687. IEEE (2012)Google Scholar