Adaptive versus Static Multi-oracle Algorithms, and Quantum Security of a Split-key PRF

TL;DR

This paper introduces a compiler that converts adaptive oracle algorithms into static ones with minimal complexity increase and applies it to prove the quantum security of a hash-based split-key PRF, enhancing cryptographic security in quantum contexts.

Contribution

The paper presents a novel compiler for transforming adaptive oracle algorithms into static ones and demonstrates its application in proving quantum security of a hash-based split-key PRF.

Findings

The compiler controls query complexity blow-up effectively.

The split-key PRF is secure in the quantum random-oracle model.

The compiler has potential applications beyond this specific case.

Abstract

In the first part of the paper, we show a generic compiler that transforms any oracle algorithm that can query multiple oracles adaptively, i.e., can decide on which oracle to query at what point dependent on previous oracle responses, into a static algorithm that fixes these choices at the beginning of the execution. Compared to naive ways of achieving this, our compiler controls the blow-up in query complexity for each oracle individually, and causes a very mild blow-up only. In the second part of the paper, we use our compiler to show the security of the very efficient hash-based split-key PRF proposed by Giacon, Heuer and Poettering (PKC 2018), in the quantum random-oracle model. Using a split-key PRF as the key-derivation function gives rise to a secure KEM combiner. Thus, our result shows that the hash-based construction of Giacon et al. can be safely used in the context of quantum attacks, for instance to combine a well-established but only classically-secure KEM with a candidate KEM that is believed to be quantum-secure. Our security proof for the split-key PRF crucially relies on our adaptive-to-static compiler, but we expect our compiler to be useful beyond this particular application. Indeed, we discuss a couple of other, known results from the literature that would have profitted from our compiler, in that these works had to go though serious complications in order to deal with adaptivity.