Random Oracles in a Quantum World

  • Dan Boneh
  • Özgür Dagdelen
  • Marc Fischlin
  • Anja Lehmann
  • Christian Schaffner
  • Mark Zhandry
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)


The interest in post-quantum cryptography — classical systems that remain secure in the presence of a quantum adversary — has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove post-quantum security one needs to prove security in the quantum-accessible random oracle model where the adversary can query the random oracle with quantum state.

We begin by separating the classical and quantum-accessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantum-accessible random oracle model. We introduce the concept of a history-free reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore postquantum secure. We conclude with a rich set of open problems in this area.


Quantum Random Oracle Signatures Encryption 


  1. [Aar09]
    Aaronson, S.: Quantum copy-protection and quantum money. In: Structure in Complexity Theory Conference, pp. 229–242 (2009)Google Scholar
  2. [ABB10a]
    Agrawal, S., Boneh, D., Boyen, X.: Efficient Lattice (H)IBE in the Standard Model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. [ABB10b]
    Agrawal, S., Boneh, D., Boyen, X.: Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010)Google Scholar
  4. [AS04]
    Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. Journal of the ACM 51(4), 595–605 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  5. [BBBV97]
    Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.V.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  6. [BBC+98]
    Beals, R., Buhrman, H., Cleve, R., Mosca, M., de Wolf, R.: Quantum lower bounds by polynomials. In: Proceedings of the Annual Symposium on Foundations of Computer Science (FOCS) 1998, pp. 352–361. IEEE Computer Society Press (1998)Google Scholar
  7. [BDF+10]
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. Cryptology ePrint Archive, Report 2010/428 (2010),
  8. [Ber09]
    Bernstein, D.J.: Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? In: SHARCS 2009: Special-Purpose Hardware for Attacking Cryptographic Systems (2009)Google Scholar
  9. [BF11]
    Boneh, D., Freeman, D.M.: Homomorphic Signatures for Polynomial Functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. [BHK+11]
    Brassard, G., Høyer, P., Kalach, K., Kaplan, M., Laplante, S., Salvail, L.: Merkle Puzzles in a Quantum World. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 391–410. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. [BHT98]
    Brassard, G., Høyer, P., Tapp, A.: Quantum Cryptanalysis of Hash and Claw-Free Functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. [BJ99]
    Bshouty, N.H., Jackson, J.C.: Learning DNF over the uniform distribution using a quantum example oracle. SIAM Journal on Computing 28(3), 1136–1153 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  13. [Boy10]
    Boyen, X.: Lattice Mixing and Vanishing Trapdoors: A Framework for Fully Secure Short Signatures and More. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proc. of ACM Conference on Computers and Communication Security, pp. 62–73 (1993)Google Scholar
  15. [BS08]
    Brassard, G., Salvail, L.: Quantum Merkle Puzzles. In: Second International Conference on Quantum, Nano and Micro Technologies (ICQNM 2008), pp. 76–79 (February 2008)Google Scholar
  16. [Can01]
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proceedings of the Annual Symposium on Foundations of Computer Science (FOCS) 2001. IEEE Computer Society Press (2001), for an updated version see
  17. [CGH98]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proceedings of the Annual Symposium on the Theory of Computing (STOC) 1998, pp. 209–218. ACM Press (1998)Google Scholar
  18. [CHKP10]
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai Trees, or How to Delegate a Lattice Basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. [CLRS10]
    Cayrel, P.-L., Lindner, R., Rückert, M., Silva, R.: Improved Zero-Knowledge Identification with Lattices. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 1–17. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. [Cor00]
    Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  21. [DR03]
    Dodis, Y., Reyzin, L.: On the Power of Claw-Free Permutations. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 55–73. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. [FLR+10]
    Fischlin, M., Lehmann, A., Ristenpart, T., Shrimpton, T., Stam, M., Tessaro, S.: Random Oracles with(out) Programmability. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 303–320. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. [FO99]
    Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999)Google Scholar
  24. [FOPS01]
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is Secure Under the RSA Assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. [GGM86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM 33, 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  26. [GKV10]
    Gordon, S.D., Katz, J., Vaikuntanathan, V.: A Group Signature Scheme from Lattice Assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. [GMR88]
    Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal on Computing 17(2), 281 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  28. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fourtieth Annual ACM Symposium on Theory of Computing - STOC 2008, p. 197 (2008)Google Scholar
  29. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Annual Symposium on the Theory of Computing (STOC) 1996, pp. 212–219. ACM (1996)Google Scholar
  30. [Gro98]
    Grover, L.K.: Quantum Search on Structured Problems. In: Williams, C.P. (ed.) QCQC 1998. LNCS, vol. 1509, pp. 126–139. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  31. [HSS11]
    Hallgren, S., Smith, A., Song, F.: Classical Cryptographic Protocols in a Quantum World. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 411–428. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  32. [KW03]
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Proceedings of the 10th ACM Conference on Computer and Communication Security - CCS 2003, p. 155 (2003)Google Scholar
  33. [NC00]
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press (2000)Google Scholar
  34. [NIS07]
    NIST. National institute of standards and technology: Sha-3 competition (2007),
  35. [PS00]
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  36. [PW08]
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of the 14th Annual ACM Symposium on Theory of Computing - STOC 2008, p. 187 (2008)Google Scholar
  37. [Reg02]
    Regev, O.: Quantum computation and lattice problems. In: FOCS, pp. 520–529 (2002)Google Scholar
  38. [SG04]
    Servedio, R.A., Gortler, S.J.: Equivalences and separations between quantum and classical learnability. SIAM Journal on Computing 33(5), 1067–1092 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  39. [Sho97]
    Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  40. [Unr10]
    Unruh, D.: Universally Composable Quantum Multi-Party Computation. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 486–505. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. [Wat09]
    Watrous, J.: Zero-knowledge against quantum attacks. SIAM Journal on Computing 39(1), 25–58 (2009)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Dan Boneh
    • 1
  • Özgür Dagdelen
    • 2
  • Marc Fischlin
    • 2
  • Anja Lehmann
    • 3
  • Christian Schaffner
    • 4
  • Mark Zhandry
    • 1
  1. 1.Stanford UniversityUSA
  2. 2.CASED & Darmstadt University of TechnologyGermany
  3. 3.IBM Research ZurichSwitzerland
  4. 4.University of Amsterdam and CWIThe Netherlands

Personalised recommendations