 Sometimes, we can't prove our favorite schemes are secure in the standard model. Oftentimes, what we do instead is model a hash function as a random oracle and prove security in this model. We often have to resort to the random oracle model because our most efficient schemes are frequently only proof secure in this model. And this is true even in the post-quantum world. For example, the random oracle-based signature scheme of GPV from 2009 is more efficient than the non-random oracle CHKP and ABB signatures. Unfortunately, all of the schemes that we have so far are usually approved only secure in the classical random oracle model. And what we mean by this is that the proofs only consider classical queries to the random oracle and don't consider quantum queries. For this paper, we'll be looking at the quantum random oracle model. In this model, interaction with the primitives themselves are still classical, but the random oracle is allowed to be queried on a quantum superposition of inputs. The reason that we think that this is the correct model is that when we actually go to instantiate the random oracle with a hash function, we give the code of the random oracle to all parties including the adversary. A quantum adversary then with the code can do whatever he wants with the hash function, including evaluating it on a quantum superposition of inputs. The picture we have then looks like this. We have Alice and Bob. They're engaged in some protocol. Since Alice and Bob are still classical, they are only communicating classically. We also have an adversary who's allowed to be quantum, and the adversary is maybe eavesdropping on the communication between Alice and Bob, maybe actually interacting with them, but this interaction is still classical. Further, we have this random oracle h. Alice and Bob being classical can only interact with h in a classical way, sending a query and receiving the output and return, but the adversary being quantum now, we allow to interact with h in a quantum way. To be formal, let's define what it means to be secure for the case of signatures. The challenger sends over a public key to the adversary. The adversary is allowed to ask for signatures on messages. These queries though can only be classical. But the adversary is also allowed to query the random oracle on a superposition. So what does this mean? Basically, the adversary sends over a superposition of maybe all possible inputs, maybe some subset of possible inputs, and receives the superposition of the corresponding outputs in return. And then the adversary sends over a message forgery candidate and the adversary output 01 depending on if this is a valid forgery or not. Unfortunately, classical random oracle model proofs do not carry over into the quantum setting, and I'd like to highlight a few difficulties in actually transferring classical proofs to quantum proofs. The first is simulating the random oracle. On even the first query a quantum adversary can make to the random oracle, he could query it on a superposition of all possible inputs. What this means is if we want to produce an oracle that looks random to the adversary, we need to generate a random output for each of the exponentially many inputs, and generating an exponential amount of randomness is impossible to do efficiently. Another difficulty is in a common proof technique in the classical random oracle model where we use the oracle queries to peek into the adversary. If the adversary queries the random oracle on X, we know that the adversary is interested in X. The obvious quantum analog of this would be to sample the quantum query and see which input the adversary was interested in, but this destroys the superposition and the adversary would be able to notice. Lastly, programming the random oracle on the quantum random oracle model is difficult because really the only thing we know how to do is define the entire random oracle up front and in doing so we can't program the random oracle in an adaptive fashion. Bonnet et al. last year had some results in the quantum random oracle model. They show that there is in fact a separation, that there are schemes that are secure in the classical random oracle model even against quantum adversaries. But once we allow the quantum adversary to make classical, sorry, quantum queries to the random oracle, the schemes are no longer secure. They show, however, that some classical proofs can be adapted to the quantum setting and these are basically just proofs where the random oracle is used in a very limited way. The examples of schemes that they prove secure are the GPV signature scheme, the full domain hash signature scheme for a specific type of trapdoor permutation, the cat's weighing signature scheme and a particular hybrid encryption scheme. We extend the results. First, we, Bonnet et al. require the existence of a quantum secure pseudo random function and we show how to remove that result or that assumption from the results as well as ours. Next, we provide some new security proofs in the quantum random oracle model. Particularly, we prove the security of an identity based encryption scheme to hierarchical identity based encryption schemes and full domain hash for any possible secure trapdoor permutation. To accomplish these results, we develop new tools to argue the indistinguishability of oracle distributions by quantum adversaries. So the proof technique that we analyze in this paper is the following. We start with an adversary A makes Q queries to the random oracle H. Then we construct a new algorithm B to solve some problem and B works as follows. First, it picks a random query I that the adversary makes. For all other queries, it just answers in a way that looks random, but for the special query I, it responds with some challenge C. The hope is that the adversary will use C to break the scheme and if it does, we are able to solve our underlying problem. Since we chose the query at random from among Q queries and Q is a polynomial, this happens with non-negligible probability. In pictures, we have the oracle seen by the adversary. Each row in this diagram represents a query and each column represents the value of the oracle at a particular input. So let's say the adversary of its first query sends over X1 and X1 corresponds to the second column. Well, we generate some randomness R1 and just send it back to the adversary. When the adversary sends R2, X2, we generate some new randomness R2 and send it back to the adversary. Now let's say that the third query was the randomly chosen special query. Instead of responding randomly, we just respond with the challenge C. And then for subsequent queries, we just respond with new randomness. The first attempt, the first obvious attempt in the quantum setting is to do something very similar. We pick a query I at random and that query will answer with our challenge and for the rest, we'll answer in a way that looks random. So when the adversary sends over a superposition of inputs, we need to make our oracle look random for the query so we just generate some fresh randomness for each possible input and send the superposition of that randomness back in return. For the second query, we want to make the oracle look consistent between queries so we'll use the same randomness and send that superposition back to the adversary. Now for the special query, we just respond with the challenge for all possible inputs. So the superposition, we get a superposition of X's and we just send back a superposition of C. And then for subsequent queries, we just respond in a way consistent with the previous queries. The problem with this approach is that the special query I is first inconsistent with the previous queries. We respond to it in a different way and then also it's actually easy for a quantum algorithm to distinguish this one query from a truly random oracle. Our second attempt is to make all of the queries answered in the same way. So instead of picking a query at random and answer that differently, we actually pick an input X star at random and answer that differently. So we have the following picture. The adversary sends over a superposition of X and we send back the following state, psi, where in response to X's other than X star, we give R sub X where R sub X is random and then in response to X star, we give back C. The problem with this approach is that we picked the input at random among an exponentially large domain and so the probability that the adversary uses the challenge C is actually exponentially small so we are unable to use this technique to break our underlying problem. Our solution is instead of just picking one X star, we pick a whole set S of possible inputs and respond to those inputs with C. So when the adversary sends over a sum of X, we send back the response where for all X in the set S, we just respond with C and for all other X we respond with R sub X. This distribution is what we call a semi-constant distribution and I'll define it as follows. So the distribution is parameterized by lambda and we start by picking a set S in the following way. We go through each element in the domain and put that element in S with probability lambda and then we pick a random C and for all X in S, we set the output of the oracle H to be C and for all other X, we just choose the output randomly and independently. The bulk of the technical work in the paper goes to proving this following theorem basically says that an adversary can't distinguish this type of oracle from a random oracle as long as lambda is small. So the high-level overview of the proof is that the adversary cannot distinguish this distribution of oracles that we give it from a random distribution. So if it solved, if it broke the underlying scheme, it broke the scheme even with the semi-constant distribution. But now we have inserted our challenge C into a significant fraction of the oracle inputs and so the adversary will use C to solve its problem with some significant probability and if that happens we are able to solve our problem. I've left one big hole so far and that is actually generating the random values. Remember the domain of the random oracle is potentially exponentially large and we need to generate random values for every possible input in the domain and we don't know how to or we can't generate exponentially many random values efficiently. The solution in Bonnet at all was to assume the existence of a quantum secure PRF. This means a PRF that's secure even against quantum queries. Before any of the random oracle queries, they pick a random key and just let these r sub x values be the PRF using the key k evaluated at x and because the pseudorandom function is indistinguishable from random, these r sub x values look like they're randomly generated. Our solution is to actually not use a pseudorandom function but to use independent functions. So let's say the adversary makes a polynomial q of queries. What we do instead is pick a random 2qy's independent function f and let the r sub x values be f evaluated at x. We show using a technique called the polynomial method that 2qy's independent functions are actually sufficient for our purposes. We also note that the 2qy's independent functions can be used to remove the assumption of a quantum secure PRF from previous results as well. We apply this method to the IBE scheme of GPV from 2009 proving its security in the quantum random oracle model. We also apply it to the full domain hash signature scheme for any possible secure trapdoor permutation. Remember previous results only proved it for specific types of trapdoor permutations. We also apply our result iteratively to two hierarchical IBE schemes proving their security. However, in our proof the security degrades doubly exponentially with the depth of the identity tree where classically the dependence is only singly exponential. So we can only handle somewhat shallower identity trees and can be handled by the classical proof. Up to this point we've only considered security in the model where the adversary is still restricted to interacting with the primitives classically. In Fox we actually consider the case where we allow quantum queries to a pseudo random function. So on top here we have the classical model where an adversary, even quantum adversary, is still only allowed to interact with the PRF by making classical queries. However, we consider the case where the adversary is allowed to send a superposition to the PRF and receive the superposition of outputs in return. In Fox we show that in general there's a separation between these models. There are scheme secure against adversaries making classical queries but are insecure once we allow quantum queries. But we show that several of the classical constructions from literature still remain secure even against quantum adversaries. In particular the construction from pseudo random generators, the construction from pseudo random synthesizers, as well as a direct construction from lattices. Also note that we now have quantum, or we have Macs that are also secure against quantum queries. Some open questions that should need to be solved. First, proof techniques based on the Fiat-Chemire paradigm while very similar in structure to the proof handled in our paper still lack a quantum security proof. And the problem is that during the special query the underlying identification protocol is initiated and there's no real clear quantum analog to this. Also there are many other random oracle security proofs that still need quantum random oracle model proofs. Alright, thank you.