 Welcome to our YouTube video about tight adaptive reprogramming in the quantum random oracle model. This is joint work with Alex Grillo, myself, Andrea Söhrling and Christian Marienz. So to say a few words about the quantum random oracle model. I'd start with a random oracle model which is very popular because it allows for a simple proofs of efficient constructions. But it suffers from the drawback that it cannot take into account quantum attackers. And this is why 10 years ago, the random oracle model was generalized in such a way by allowing the random oracle to be accessible via a superposition queries or in short quantum accessible. And the proof in the quantum random oracle model allows to argue security against quantum attacks that are run in classical networks, meaning interacting with honest users that are still classical. Sorry. And why this is very neat, because it allows to argue post quantum security. It comes with its own challenges. Quantum access, meaning superposition queries at proof complexity, and very useful random oracle properties like programmability and pre-image awareness are not truly known to generalize to this new scenario. And the bounds we can derive by quantum random oracle arguments are usually less tight than their classical counterparts. And now we'll zoom in into one of those properties I just mentioned, namely programmability. So now to say a few words about adaptive reprogramming in the quantum random oracle model in the classical random oracle model, things are very easy. We can say if the random oracle has not been queried yet on a particular pre-image X, then the attacker has no knowledge of the value of this position and we can choose it on the fly. And this in particular means that reduction could pick it in a way that's helpful to the reduction to simulate a particular security game without any secret knowledge like, for example, a secret key. It only has to make sure that the value is uniform and consistent with the rest of the view of the attacker. Unfortunately, in the quantum random oracle model things are not as easy. If we allow the attacker to pose superposition queries, then in principle any query could already have contained X with some amplitude and checking whether this was the case would have meant measuring the query, meaning the state and hence potentially disturbing the attacker. So, an interesting question is, can we adaptively reprogram in the quantum random oracle model. And I'll mention right away that there has been previous work on this question, which will be discussed after we have presented our findings to make stuff more comparable. For the rest of the talk, I will first describe a motivational use case to convince you that this is actually a question that's worth tackling. And afterwards, I present to you our results and show how these can be applied to the motivational use case. After that, Chris will sketch to you the proof technique that we used, and we'll finally show you that there's reason to believe that the bound we derive is tight because we found a matching attack. So by now, let's first go to the motivating example, a use case in the classical random oracle model. And we decided to discuss phm your signatures. So this is a phm your signature scheme built from an identification scheme and a hash function that will be modeled as a random oracle. And to generate keys will just use the key generation algorithm of the identification scheme and to sign a message will first use the commit algorithm of the identification scheme to derive a commitment and a state. And then the respond algorithm to define a response. And what's important is to notice that the challenge we will forward to the respond algorithm will be the hash value of the commitment we picked and the message and the signature then consists of the commitment and the response to verify message and a signature will use the verification algorithm of the identification scheme. Again, relative to the challenge that is the hash value of the commitment and the message. And an important proof step to argue that phm year is affordable even if an attacker has access to a signing oracle is to get rid of the signing oracle by arguing that if the identification scheme is fun as verify zero knowledge, meaning that identification transcripts can be simulated by a simulator that only has access to the public key. And in the random oracle model it holds that the signing algorithm can be simulated by a simulator that also does without the secret key. And the proof of the step goes as follows. Again, we want to show that if the identification scheme is honest verify zero knowledge, then the signing algorithm can be simulated without the secret key. The idea is to simulate a signature using the honest verify zero knowledge simulator by, yeah, picking a simulator transcript and letting the signature be the commitment and the response that was part of this transcript. And it wouldn't be consistent with the attackers view because the attacker would would expect that the challenge is the random oracle value. So what we do is that we program the random oracle a posteriori by setting it to challenge on the commitment and the message. This simulation works unless this particular random oracle value has already been carried because then the attacker would notice that we reprogrammed it. But this is pretty unlikely, given that the commitment has high enough entropy, because the probability of this happening can be upper bounded in terms of the number of random oracle queries and the probability of this commitment happening. And this is once per signature. So all in all, in total, the distinguishing advantage between proper signatures and this simulated signature, the simulated signatures can be upper bounded in terms of the advantage against our honest verify zero knowledge for QS many transcripts where QS is the number of signing queries, plus number of signing queries times number of oracle queries times maximum probability of the commitments. What did we just see we saw that we can pretty much simplify security proofs for future me in the random oracle model and we used that reprogramming is triggered by queries to the signing oracle. And what we want to take away here is that oracles like signing oracles or decryption oracles, meaning all oracles that represent honest users in the security game will remain classical even if we want to prove post quantum security. So reprogramming was triggered by a classical query. And we use that it's unlikely to query the particular reprogramming position before the reprogramming happens. And now we want to take a look at what happens functionally. And there, it's not even so clear what to what it means that this particular position was not queried before the reprogramming. And we also have to consider that we cannot simply check whether the oracle was carried on a particular position or not because then it might happen that we disturb the attacker. Now we'll move on to the results. And our results are reprogramming toolbox and first I present to you the simplest case, just to get you into it. And we consider distinguishes that have a particular task, namely the task to distinguish between access to a plane random oracle, and it's adaptively reprogrammed counterpart, which we call H one. So at the beginning of the game a started with access to the original random oracle. And the random oracle is defined on the product of a finite set X one and a finite set X two. Just imagine that we have some bit string of length to L and X one is the bit strings of length L and X two is the second half. And after having queried the original oracle for some time, a will pick its own position X one which marks the first half of the position. And the game completes this position to a complete reprogramming position by uniformly picking X two from the second set. And now we'll define H one as H zero but reprogrammed on this position, meaning we let H one coincide with H zero anywhere but on this particular position. And on this position, we'll just define it to be a new freshly uniformly random value. The second half of the reprogramming position will forward to a and then continue a with access to either H zero or H one and the task of age, the task of a is to tell to which oracle it has access. So if we were in a classical world, things would be pretty easy than the distinguishing advantage would be up a bounded in terms of the number of oracle queries and the size of X two, because the reprogramming part that wasn't under the control of a cannot be foreseen by a meaning it will only have query the oracle with this probability on this position. And first nice result is that quantumly things don't look too different. So all we have to do is to add a square root and to multiply by a factor of one and a half. So this is kind of nice, but it's not really very general because with this argument we wouldn't be able to, for example, argue security of yet Shamir. So what we did was to generalize this result a bit and I'll show you on the next slide how we generalized it. But before that, let me state that this bound is actually tight because we found a matching attack and this will be the last section of the talk. And now onto the generalizations. So here we see the bound for the simple case we have just considered before. Now a first important generalization is to reprogram many times because we don't just want to reprogram once. But for example, as often as an attacker might issue signing queries. So if we want to reprogram our many times this bond has trivially to be multiplied by our because we can just give a hybrid. Another another more important generalization is that we now let a pick the whole reprogramming position instead of just the first half and a is even allowed to pick distributions according to which those reprogramming positions are picked and adaptively. So it might completely change distributions depending on its input. And the resulting bound is inspired very similar to what we've seen before we just have to replace the term relative to the size of the second half with the maximum probability of any element to be drawn from any of those distributions. And the last generalization is a scenario in which these distributions also generate some additional information x prime, which will also be forwarded to a not only the reprogramming position but also the site information will be forwarded to a. And this doesn't change the bound. So now I can compare our results with what was previously known. There has been some work before on this question, all resulting in essentially the same bound. But none of these results considered arbitrary distributions that might be adaptively picked. They just considered the uniform distribution. And they also didn't consider site information that is forwarded to the attacker. Yes, and all those bounds are for just one reprogramming incident and all bounds or results have in common that if you want to reprogram our many times you have to multiply the bound by our. Okay, now I want to show you how we can use this result to prove that Fiat-Chamir signatures can be simulated without the attacker noticing too much. And the goal of our approach is to use the same simulation that we have seen in the classical scenario. So here we see honest signatures as defined by the Fiat-Chamir transform. And before we move to simulating by honest verifier as your knowledge transcripts, we do an intermediate simulation. That is pretty straightforward. We remove this step. We will not define the challenge to be the random oracle value of the commitment at the message anymore. Instead, we choose it uniformly at random and then reprogram the random oracle accordingly. And due to our theorems, we now know that this is essentially unnoticeable if the commitment scheme has sufficiently high entropy. And from this intermediate simulation, we can now go forward to the desired simulation where we simply draw a simulated transcript and program the random oracle. Accordingly, and this is justifiable by a straightforward honest verifier, zero knowledge argument. Okay. And as we can see, the proof for this, this proof step for Fiat-Chamir was as simple and straightforward as in the random oracle model. And our work again contains this proof of Fiat-Chamir signatures that is conceptually simple and also tighter than the ones that were previously known. It also contains a tighter result for XMSS because we give a tighter proof for hash and sign and the message compression routine of XMSS. And what we also did was to take a look at work that considered how to hatch Fiat-Chamir against real-world attacks where hardware malfunctions are induced to derail the algorithms and to show how the work generalized to the quantum random oracle model, meaning that even quantum attackers will not have too much success by inducing fault injection when attacking the hatch Fiat-Chamir transform. Okay. And with this I say bye and let Chris talk about our proof technique. Hello, my name is Christian Mayans. And in this last part of the talk I will give you a little bit of an idea about our proof technique and will present the matching attack that shows that our reprogramming lemma is tight. And we begin with a little sketch of the run proof so in the rest of the talk we will for simplicity leave out this adversarial chosen part of the input. And also, let's take the input and output of the hash function to be equal to the end of strings just for simplicity. So here is again the game that the adversary is playing. The first stage of the adversary gets to interact with the random oracle H, then the random oracle H is reprogrammed as some random input X star to the random output Y star or not depending on the bit B. And finally, the adversary gets to interact with the possibly reprogrammed oracle again to come up with the guest B prime for the bit B. Now, the distinguishing advantage of such an adversary that has classical access to H is upper bounded by the number of queries in the first phase divided by two to the end. This is fairly straightforward. So here's the intuition. Basically the adversary needs to resort to guessing B, unless they have create X star in the first phase. And therefore we can bound the advantage by the expectation over the choice of X star of the probability that X star has been created in the learning phase this is a bit of a roundabout way to express this upper bound but it will be helpful for the quantum proof. And this is more or less obviously bounded by the number of queries by two billion. Now, in the quantum random oracle model version of this. This now we use the superposition oracle technique so I want to briefly explain what the superposition oracle technique is. Essentially the superposition oracle is something like a quantum function table of a random function. And for simplicity. Let's look at an end bit to end bit random function. And here's the comparison between the function table of a random oracle and the superposition oracle. This the entire object. So the entire random oracle function table is just two to the end random variables abstractly speaking and the entire superposition oracle that's just two to the end quantum registers. In the random oracle, an unqueryed entry of the function table is just an independent uniformly random random variable. On the other hand in the superposition oracle and an unqueryed entry just corresponds to a uniform superposition state. Now here is the wrong proof sketch again now let's try to mimic this in in the superposition oracle. Why does this wrong proof actually work. It works because an unqueryed entry as we've just seen corresponds to a uniformly random variable. So, if x star has not been create in the learning phase, then the corresponding output is a uniformly random variable. And so replacing it with a fresh uniformly random string doesn't change anything. Now in the quantum random oracle model we just use the superposition oracle and to reprogram instead of you know sampling a new output we prepare the register corresponding to the output at x star into a fresh uniform superposition state. Now, essentially we can repeat the proof that we have or this proof sketch up there, except that we need to replace this expectation value by the expectation over x star of the probability that h of x star the corresponding register is not in the uniform superposition state because that basically corresponds to the address very having create this input. Now, this expectation value over x star is put in quotation marks here because somehow the argument so this probability is not well formed. We are talking about a quantum register, so we cannot talk about the probability that this quantum register is not in uniform superposition or in principle we could talk about this probability, but it doesn't make any sense. So what we actually do is we handle this whole proof inside the quantum formalism but I just don't want to discuss it here. So I think this expectation value in quotation marks is as close as you will get to getting an idea of the proof. Okay, so after this short kind of insight into our proof technique let me present the matching attack that we have that shows that the reprogramming lemma is tight. So let's first have a look at a classical attack. Here's the theorem again that the gives the upper bound on the distinguishing advantage. A simple attack is to just query q different values of x store all of the results. And then do this in the first phase right and then in the second phase just hope that the reprogrammed input is among the ones great in the first phase. This costs q queries in the first phase, but an important caveat is that the memory cost is order q right because we need to store all the values. So here's a better attack, you can just store the XOR of all the great outputs, and then recompute them in the second phase and compare the two check cells. That's two q queries because we need to query all of the inputs again in the second phase, but on the other hand the memory cost is order one. Now, what we do is we quantize the better attack. So how does that work. Let's first have a look at when the classical attack succeeds. So here, the attack succeeds whenever the reprogrammed input X star is in the set of great input and that obviously is the case with probability q times to the minus and the idea is to query a superposition of different sets of inputs. And then, somehow the success probability should actually grow with what we call the amplitude of x star being in the query set, instead of the probability. That's how we gain the square root advantage. And more concretely, how can we do this efficiently, we start with a uniform superposition of inputs, then we repeatedly do the following we query our superposition. And then we apply some fixed cyclic permutation of the domain of our hash function, and then we do that q times and then after reprogramming we undo the whole thing. And if we do that with it in the initial state, then nothing has happened, and if something has changed, then then reprogramming has happened, and there is an optimal measurement that gives us the square root advantage. This reveals basically the, the, the theorem that says that our reprogramming theorem is tight or in other words, the distinguishing advantage of order square root of the number of quote oracle queries divided by two to the N is achievable. That's what we wanted to say. Thank you very much for listening.