Random Oracles in a Quantum World

The interest in post-quantum cryptography - classical systems that remain secure in the presence of a quantum adversary - has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove post-quantum security one needs to prove security in the quantum-accessible random oracle model where the adversary can query the random oracle with quantum states. We begin by separating the classical and quantum-accessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantum-accessible random oracle model. We introduce the concept of a history-free reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore post-quantum secure. We conclude with a rich set of open problems in this area.

💡 Research Summary

The paper addresses a fundamental gap in the security analysis of post‑quantum cryptographic schemes that are proved secure in the classical random oracle model (ROM). While classical proofs assume the adversary can query the oracle only with classical bit strings, a quantum adversary can submit arbitrary quantum superpositions and receive the oracle’s response as a linear quantum operation. This leads to the definition of the quantum‑accessible random oracle model (QROM), in which the oracle must be compatible with quantum queries.

The authors first demonstrate that the two models are not equivalent by constructing a concrete cryptographic scheme that is secure when the adversary has only classical oracle access but becomes insecure under quantum oracle queries. This “separation scheme” shows that a proof of security in the classical ROM does not automatically guarantee security in the QROM, and that new proof techniques are required for the quantum setting.

To bridge this gap, the paper introduces the notion of a “history‑free reduction.” In a history‑free reduction, the simulator that answers oracle queries does so independently of the entire sequence of previous queries; each answer depends only on the current query and a fixed probability distribution. This property is crucial because quantum queries can be in superposition, and any dependence on the query history would collapse the superposition, invalidating the reduction. The authors prove that if a classical ROM proof can be expressed as a history‑free reduction, then the same proof carries over to the QROM without modification. The proof relies on the linearity of quantum operations and shows that the simulator’s answers remain consistent with the required oracle distribution even when queried in superposition.

Armed with this generic result, the paper surveys several prominent post‑quantum proposals, especially lattice‑based constructions such as those based on Learning With Errors (LWE) and Short Integer Solution (SIS). The authors verify that the existing security reductions for these schemes are indeed history‑free, and therefore the schemes inherit security in the QROM. This provides a rigorous justification for the quantum‑resilience of many candidates currently under consideration in the NIST post‑quantum standardization process.

The final section outlines open research directions. Key challenges include: (1) transforming non‑history‑free classical proofs into QROM‑compatible ones; (2) quantifying the exact relationship between the number of quantum queries and the tightness of reductions; (3) developing refined models for “quantum superposition attacks” that go beyond simple query counting; and (4) extending the history‑free framework to other families of post‑quantum primitives such as code‑based, multivariate, and hash‑based schemes.

In summary, the paper formalizes the quantum‑accessible random oracle model, demonstrates the insufficiency of classical ROM proofs for quantum security, and provides a powerful sufficient condition—history‑free reductions—that allows many existing classical proofs to be lifted directly to the quantum setting. This work lays essential theoretical groundwork for the reliable deployment of post‑quantum cryptography in a world where adversaries possess quantum capabilities.