On the Compressed-Oracle Technique, and Post-Quantum Security of Proofs of Sequential Work
We revisit the so-called compressed oracle technique, introduced by Zhandry for analyzing quantum algorithms in the quantum random oracle model (QROM). To start off with, we offer a concise exposition of the technique, which easily extends to the parallel-query QROM, where in each query-round the co...
Saved in:
Main Authors | , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
22.10.2020
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | We revisit the so-called compressed oracle technique, introduced by Zhandry
for analyzing quantum algorithms in the quantum random oracle model (QROM). To
start off with, we offer a concise exposition of the technique, which easily
extends to the parallel-query QROM, where in each query-round the considered
algorithm may make several queries to the QROM in parallel. This variant of the
QROM allows for a more fine-grained query-complexity analysis.
Our main technical contribution is a framework that simplifies the use of
(the parallel-query generalization of) the compressed oracle technique for
proving query complexity results. With our framework in place, whenever
applicable, it is possible to prove quantum query complexity lower bounds by
means of purely classical reasoning. More than that, for typical examples the
crucial classical observations that give rise to the classical bounds are
sufficient to conclude the corresponding quantum bounds.
We demonstrate this on a few examples, recovering known results (like the
optimality of parallel Grover), but also obtaining new results (like the
optimality of parallel BHT collision search). Our main target is the hardness
of finding a $q$-chain with fewer than $q$ parallel queries, i.e., a sequence
$x_0, x_1,\ldots, x_q$ with $x_i = H(x_{i-1})$ for all $1 \leq i \leq q$.
The above problem of finding a hash chain is of fundamental importance in the
context of proofs of sequential work. Indeed, as a concrete cryptographic
application of our techniques, we prove that the "Simple Proofs of Sequential
Work" proposed by Cohen and Pietrzak remains secure against quantum attacks.
Such an analysis is not simply a matter of plugging in our new bound; the
entire protocol needs to be analyzed in the light of a quantum attack. Thanks
to our framework, this can now be done with purely classical reasoning. |
---|---|
DOI: | 10.48550/arxiv.2010.11658 |