Online-Extractability in the Quantum Random-Oracle Model
This work addresses security challenges in quantum cryptography by enabling efficient extraction without rewinding, which is crucial for protocols like post-quantum encryption and commitments.
The paper tackles the problem of extracting classical values from quantum query algorithms in the quantum random-oracle model, showing that such values can be efficiently extracted online with almost certainty. It applies this result to prove tight online extractability for commit-and-open Σ-protocols and offers the first non-asymptotic post-quantum security proof for the Fujisaki-Okamoto transformation.
We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value $t$ that is promised to be in some tight relation with $H(x)$ for some $x$, then $x$ can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e., without rewinding, and on-the-fly, i.e., during the protocol execution and without disturbing it. The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts $x$. We show two applications of our generic online extractability result. We show tight online extractability of commit-and-open $Σ$-protocols in the quantum setting, and we offer the first non-asymptotic post-quantum security proof of the textbook Fujisaki-Okamoto transformation, i.e, without adjustments to facilitate the proof.