 Hello, everyone. I'm Takashi. Today, I will talk about classical versus quantum random oracles. This is a joint work with Mark Chandry. The random oracle model ROM was introduced by Belar and Rogaway in 1993. This model is the idealization of cryptographic hash functions. In the ROM, some random function h is randomly chosen at the beginning of security games and then arbitrary is allowed to make oracle access to the random function. The ROM is very useful for analyzing practical cryptographic schemes, so this has been used for analyzing a variety of constructions. The quantum random model to ROM is the quantum version of the ROM introduced by Bonnet et al. in 2011. The difference from the original ROM is that in the queue ROM, arbitrary is allowed to make quantum query to the random oracle. That is, it can query quantum superposition of inputs, and then the oracle returns the output in superposition. And the reason why we should consider such a quantum access to the oracle is that the random oracle is usually instantiated with some fixed cryptographic hash functions in the real world. Therefore, if arbitrary has a quantum computer, then it can quantumly evaluate the hash function. So this corresponds to quantum oracle access in the quantum random model. And this is why we should study queue ROM for ensuring post-quantum security. Here I would like to review what are known about the queue ROM. As pointed out by the first work by Bonnet et al, many proof techniques in the ROM doesn't work in the queue ROM, at least in a straightforward manner. Those techniques include pre-image awareness and adaptive programmability. Therefore, in the past decade, new proof techniques in the queue ROM have been developed, and this line of research made a great success, and now almost all major protocols in the ROM are also proven secure in the queue ROM. Those protocols include Fujisaki Okamoto, OAP, Fiat Shamir, and full domain hash. And so now there is no known scheme that is secure in ROM, but insecure in queue ROM. Then it is natural to ask the foreign question, does security in ROM imply security in queue ROM? This is our main question. And in this work, we give both positive and negative answer to the question, and our first result is a negative answer. We give the first separation between ROM and queue ROM, and specifically, we give a contraction of PKE and signature schemes that are secure in the ROM, but insecure in the queue ROM. And I remark that a similar result was also shown in the concurrent work by John et al. And on the other hand, we also give some positive result, but specifically we give some ROM to queue ROM lifting theorems under some conditions. And we also show some applications of the lifting theorems to the setting of signatures and query complexity. From now, I will explain more technical details about our separation result. And for giving our separation, we introduce a new primitive which we call proof of quantum access to random oracle, P-O-Q-R-O, which captures the essence of the separation between ROM and queue ROM. And intuitively, this is an interactive protocol between prover and verifier, where prover proves that it has a quantum access to random oracle to classical verifier. More specifically, the verifier first generates a pair of public key and secret key, and sends public key to the prover. And then prover, given public key and quantum access to random function, generates the proof pi, and then sends the proof pi to the verifier, and the verifier verifies the proof to output acceptance or rejection. And we require completeness and soundness. Completeness means that if both parties work honestly, then verifier accepts with probability 1, and soundness means that if prover only has classical access to random function, then verifier accepts with negligible probability. And if you're familiar with the notion of proof of quantumness introduced by Bracketsky et al., then you may find similarity with P-O-Q. However, the difference is that in P-O-Q, we only require soundness against completely classical reaching prover. On the other hand, in our P-O-Q-O, we require soundness against even quantum cheating prover with only classical oracle access. So this is the difference from P-O-Q. We give two constructions of P-O-Q-O in this work, and the first construction is based on the LW assumption. Interestingly, this construction is actually exactly the same as the recent construction of P-O-Q by Bracketsky et al. That is, we just observed that the P-O-Q actually also satisfies the soundness as P-O-Q-O. And because the construction is exactly the same, I will not explain the detail, but their protocol looks like the following. The verifier first generates low-free permutation F and sends F to the prover. Then the prover runs some quantum computation by using quantum access to H. And finally, we get some pair of classical strings, M and D, that certify this equation, where X0 and X1 are the clove of F. And especially, what is important is that we have a time of H of X0 or H of X1 here. Therefore, if a cheating prover only has classical access to random oracle, then this X0 is uniformly random unless the ad-buff retrieves both X0 and X1. However, it can query both of them only with negligible probability by their clove freeness. Therefore, if cheating prover only has classical access to random oracle, then this time looks random. And therefore, it is difficult to generate M and D that certify this equation with high probability. Therefore, this gives a separation between ROM and Q-ROM. And by using P-O-Q-O, we can easily get ROM-Q-ROM separations for signature and PK schemes. And for example, I will explain the case of signatures. Let pi-sig be your EUF-themed secure signature scheme. Then consider modified scheme pi-prime-thick food-signing algorithm to return the secret key, if the message is valid P-O-Q-O proof. And this modification doesn't affect security in the ROM because by the time of P-O-Q-O, the add-bath rate in the ROM cannot find valid P-O-Q-O proof. On the other hand, this modification makes the protocol completely insecure in the Q-ROM because add-bath rate in the Q-ROM can find valid P-O-Q-O proof by the completeness of P-O-Q-O. Therefore, it can just query such a valid P-O-Q-O proof to get the secret key to completely break the security. Therefore, this gives the example of the separation for EUF-themed signatures. And similar separation is possible in the CCAPKE by embedding P-O-Q-O verification into the decryption protocol. And here we observe that those separations rely on the fact that there is an oracle that uses secret information like signing and decryption records. And so this technique is not applicable to EUF-themed signatures where there is no signing queries and in the CCAPKE where there is no decryption queries. And the reason why we need oracle with secret information is that the LW-based P-O-Q-O needs a secret key for the verification. Therefore, if we have publicly verifiable P-O-Q-O or where the verification can be done publicly, then we can extend those separations to EUF, NMA, and in the CCAPKE case. Therefore, next, we study constructions of publicly verifiable P-O-Q-O. For constructing publicly verifiable P-O-Q-O, we rely on equivocal collision resistant hash ECRH introduced by Amos et al. ECRH is a function F that satisfies the four and two properties. The first is the collision resistance that just means that one cannot find the collision of F. And the second is equivocality, which means that one can sample image Y along with some quantum state SK that enables one to find pre-image X such that F of X equal Y and P of X equal B for either B equal 0 and 1 where P is some predicate that is very balanced. Here, the very balanced means that the sizes of pre-images of 0 and 1 are not too different. And here I remark that we don't claim that one can find pre-images with P of X equal 0 and 1 simultaneously, rather SK only enable one to find either of them. However, the point is that the B can be determined adaptively. And I remark that this is a unique quantum capability because if this can be done classically, then by rewinding, we can break collision resistance. And in the work of Amoth et al, they constructed ECRH for the case of predicate, it said to be the least significant bit of X relative to some artificial classical oracle. We observe that their proof naturally extends to arbitrary predicate as long as P is very balanced, especially we consider to set the predicate by using random oracle with one bit output. By using ECRH for such a random oracle predicate, we construct publicly verifiable POQL as follows. And the first we construct four round version of POQL. In the protocol, the modifier first generates ECRHF and sends F to the prover. And then prover generates the pair of Y and SK and sends Y. And the modifier randomly picks challenge B and sends B to the prover. And then the prover all finds X such that F of X equal Y and H of X equal B by using the equivocality of ECRH. And then sends X to the verifier. And then the verifier checks if this equation actually holds. And the completeness is clear from the description. And the soundness can be seen as follows by the collision resistance of F. If P only has classical access to H, then it can know the value of H of X for at most one preimage of X of Y except for negligible probability. And then the probability that this particular value of H of X is equal to B is one-half because B is randomly chosen by the verifier. Therefore, the verifier accepts the probability at most one-half plus negligible. And this soundness error can be amplified to negligible or by prior repetition. And here I observed that the third round message B is just public coin. So by using the standard technique of Fiat-Chamille transformation, we can reduce the number of rounds of the protocol. If we consider the prior repetition version of the previous protocol, and then we derive the challenges B1 to Bn by using another random oracle G. And then we can compress the protocol to two-round protocol. And by the standard technique, we can reduce the soundness of this two-round version to soundness of four-round version. And now we obtain a two-round publicly vilifiable POQLO from ECRH. Next, I explained how to use publicly vilifiable POQLO to give separations of ROM and QROM for INDACP secure PKE and EUF NMN signatures. For INDACP secure PKE, the idea is similar to the case of INDACP secure PKE. But the difference is that now the verification can be done publicly. So we can embed the verification algorithm of POQLO into the encryption algorithm of the PKE rather than the decryption algorithm. Therefore, this naturally gives separation for INDACP security. And similarly, by embedding POQLO verification into the verification algorithm of signature, we can get separation for EUF NMN signatures. And here I remarked that because the contraction of ECRH rely on some artificial classical oracle. So those separations also rely on the same classical oracle. Therefore, we don't have actual instantiation of such schemes, but we can interpret these results as a negative evidence for ROM to QROM lifting theorem for those security notions. Next, I would like to move on to our lifting theorem part. So we give lifting theorem for what we call such type game, which is described as follows. The such type game is the interactive protocol between quantum adversary and classical challenger, where the classical challenger finally outputs acceptance or rejection. And our lifting theorem is stated as follows. Let K be the number of challenger queries. Then for any quantum polynomial time, A making Q quantum queries. There exists quantum polynomial time B making K classical queries such that the probability that A lets the challenger accept is upper bounded by 2Q plus 1 to the power of 2K times probability that B lets the challenger accept. And especially when K is constant and Q is polynomial, then we have the following. If the probability that B lets the challenger accept is negligible, then the probability that A lets the challenger accept is also negligible. And one can see that this corresponds to the security in the ROM because B only makes classical queries. And this corresponds to security in the QROM because A makes quantum queries. So in the setting where challenger makes only constant number of queries, this theorem can be seen as our lifting theorem from ROM security to the QROM security. And I would like to explain some queries of our lifting theorem. And first, we can see that there is no Poq at all where the number of refined queries is constant. Remark that for both of our constructions, the modifier makes super constant number of queries because we amplify the sound error by using super constant number of power repetition. And second, for any needs in ROM, food setup and verification algorithm make constant number of queries. That is also sound in the QROM. And the typical example is Fiat-Chameleon-Isk. And we can show a similar lifting theorem for EUF NMA signatures. Unfortunately, we cannot extend this to EUF CMA signatures in such a general form. On the other hand, we give an extend lifting theorem to EUF CMA signatures with some additional conditions that are satisfied by Fiat-Chameleon and FDH signatures. And the intuition behind that is that we already know that there is EUF NMA to EUF CMA lifting theorem for those signature schemes. So we first apply our ROM to QROM lifting theorem for EUF NMA security. And then after that, we apply this lifting theorem to upgrade the security to EUF CMA security. And we also obtain an extremely simple tool to get query lower bounds in the QROM. And for example, we can replace the optimality of Grover's algorithm only in two lines. So this is very simple and useful. And the caveat is that this tool often gives non-tight bounds. But we believe that this tool is useful when we are not interested in tight bounds and we are only interested in giving negligible upper bound, which is often in the case of in the cryptography. And finally, I would like to explain our proof idea for the lifting theorem. So the lifting theorem is described like this. For explaining the proof idea, let's first consider the classical version of the lifting theorem, where we only consider an arbitrary A that makes classical queries. And I remark that this is still meaningful because A can make unbounded number queries, whereas B can make only K queries, which is the same number as the challenges queries. And for proving this classical version, the idea is the following. For each I equal 1 to K, B randomly guesses when A queries challenges I query for the first time, including the choice that A never queries that. Then B embeds real random oracle values to their K guest queries by querying those queries to the real random oracle, while simulating other queries by using a fake random oracle that is simulated by B itself. Then, as long as the guest is correct, B correctly simulates the view of the A, and the probability that the guest is correct is 1 over 2 plus 1 to the power of K. Therefore, here is the reduction between the probability that A wins and B wins with the reduction loss of the factor of Q plus 1 to the power of K. And our idea is to generalize this to the quantum case. And when A makes quantum queries, and our obvious problem is that because A queries a quantum, so it is unclear how to embed classical random oracle values to those quantum queries. And the solution is to just measure those K guest queries. And even though such a measurement may be noticed with non-negligible probability by A, however, by using the measure and the reprogrammed lemma introduced by Don Etar, we can show that this works with a slight reverse reduction loss of 2Q plus 1 to the power of 2K. And this is the proof sketch of our different theorem. This is the summary slide. We give the first separations between ROM and QROM. And on the other hand, we also give ROM to QROM lifting theorems for such type of games with constant query challenges. And we also give some applications of the lifting theorem to signature and query complexity. This is the end of my talk. Thank you for listening.