Non-Observable Quantum Random Oracle Model

The random oracle model (ROM), introduced by Bellare and Rogaway (CCS 1993), enables a formal security proof for many (efficient) cryptographic primitives and protocols, and has been quite impactful in practice. However, the security model also relies on some very strong and non-standard assumptions on how an adversary interacts with a cryptographic hash function, which might be unrealistic in a real world setting and thus could lead one to question the validity of the security analysis. For example, the ROM allows adaptively programming the hash function or observing the hash evaluations that an adversary makes. We introduce a substantially weaker variant of the random oracle model in the post-quantum setting, which we call the non-observable quantum random oracle model (NO QROM). Our model uses weaker heuristics than the quantum random oracle model by Boneh et. al. (Asiacrypt 2011) or the non-observable random oracle model proposed by Ananth and Bhaskar (ProvSec 2013). At the same time, we show that our model is a viable option for establishing the post-quantum security of many cryptographic schemes by proving the security of important primitives such as extractable non-malleable commitments, digital signatures and chosen-ciphertext secure public-key encryption in the NO QROM.