Fiat-Shamir for Proofs Lacks a Proof Even in the Presence of Shared Entanglement
Frédéric Dupuis, Philippe Lamontagne, Louis Salvail
TL;DR
The paper investigates the cryptographic power of shared quantum resources in the CRQS model, defining the Weak One-Time Random Oracle (WOTRO) and proving that no statistically secure or black-box-reducible WOTRO protocol exists in CRQS when $n-m$ grows faster than logarithmic in the security parameter. It introduces a Chernoff-based attack that is efficiently simulatable, ruling out fully black-box reductions to cryptographic games and implying a broad impossibility for a universal quantum Fiat-Shamir transform in this model. To bypass the impossibility, it presents a non-game hash-function assumption called collision-shelters (in the CRQ$ model) enabling secure WOTRO instantiations, and connects WOTRO with quantum lightning, including a typed variant (tQL) that embeds metadata and implies WOTRO under similar constraints. The work also demonstrates an unconditional WOTRO construction in the CRQ$ model using mutually unbiased bases, discusses the realism of collision-shelters, and shows how typed quantum lightning would preclude black-box reductions, thereby clarifying the boundaries between interactive proofs and non-interactive arguments in quantum setups. Overall, the results delineate when entanglement and pre-shared quantum states can replace interactive assumptions, and they delineate fundamental barriers to black-box approaches in quantum cryptography while offering alternative non-game assumptions with potential practical impact.
Abstract
We explore the cryptographic power of arbitrary shared physical resources. The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. We call this the Common Reference Quantum State (CRQS) model, in analogy to the well-known Common Reference String (CRS). The CRQS model is a natural generalization of the CRS model but appears to be more powerful: in the two-party setting, a CRQS can sometimes exhibit properties associated with a Random Oracle queried once by measuring a maximally entangled state in one of many mutually unbiased bases. We formalize this notion as a Weak One-Time Random Oracle (WOTRO), where we only ask of the $m$-bit output to have some randomness when conditioned on the $n$-bit input. We show that when $n-m\inω(\lg n)$, any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a fully black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQS model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where $m=n$, then hash the output. The impossibility of WOTRO has the following consequences. First, we show the fully-black-box impossibility of a quantum Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC 2013) to the CRQS model. Second, we show a fully-black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt 2019) where quantum bolts have an additional parameter that cannot be changed without generating new bolts. Our results also apply to $2$-message protocols in the plain model.
