Survey on the Security of the Quantum ROM Erica Blum, Makana Castillo-Martin, Michael Rosenberg December 12, 2019 1 Introduction The Random Oracle Model (ROM) is a heuristic that has been used to prove the security of hundreds of cryptographic protocols. For over 25 years, it has been used to prove the security of protocols that would otherwise be far more complicated, or even admit no security proof at all. However, since this proof technique is only a heuristic, there is a gap between the notion of security in the ROM and security in in the real world. Over time, the arguments that attempt to bridge this philosophical gap have, in our opinion, become quite strong. In this paper, we aim to enumerate the arguments in favor of the real-world security of cryptographic schemes proven secure in the ROM, and “port” them to an analogous heuristic, the Quantum Random Oracle Model (QROM), which makes claims about security of schemes against quantum adversaries. The existence of a philosophical argument bridging security in the QROM and security in the real world is similarly important: the QROM has already been used to prove many protocols secure, but it is not self-evident that it is practical as a heuristic. Our argument for the ROM and QROM will follow in three steps: 1. The (Q)ROM is expressive, and can be used to prove reductions of many varied cryptographic protocols 2. The cryptographic schemes that clearly demonstrate the failure of hash functions to approximate (quantum) random oracles are contrived and unlikely to be constructed in practice. 3. No schemes with security reductions in the (Q)ROM have been shown to have vulnerabilities stemming from the failure of hash functions to approximate a (quantum) random oracle. We frst describe the ROM, the QROM, and their nontrivial relationship. 1.1 Random Oracle Model The Random Oracle Model was frst introduced by Bellare and Rogaway [BR93], and has since been widely used for constructing security proofs of many cryptosystems. Put simply, a protocol in the ROM gives all parties access to a random oracle O. Any party can submit a query x ∈{0, 1} ∗ to O, and the oracle will return O(x) ∈{0, 1} ∗ , where each bit is chosen uniformly and independently. If x has been queried before, then O(x) must be consistent with the previous response. Concrete instantiations of protocols that live in the ROM generally replace the random oracle with a hash function. The ROM was introduced to address a specifc problem in the cryptographic community. At the time, constructions relying on hash functions—for example, full-domain hash (FDH) signatures and the Fiat- Shamir transform—could not be proven secure using any existing techniques. The purpose of the ROM was to provide a heuristic that allowed cryptographers to formally prove the security of these constructions, subject to some assumptions. As Bellare and Rogaway originally argued in [BR93], In order to bring to practice some of the benefts of provable security, it makes sense to incorporate into our models objects which capture the properties that practical primitives really seem to possess, and view these objects as basic even if the assumptions about them are, from a theoretical point of view, very strong…We stress that the proof is in the random oracle model and the last step is heuristic in nature. It is a thesis of this paper that signifcant assurance benefts nonetheless remain. 1