Quantum Random Oracle Model (QROM)

Updated 23 April 2026

Quantum Random Oracle Model (QROM) is a framework that extends the classical ROM by allowing quantum superposition queries, enabling rigorous security proofs in a post-quantum context.
It underpins the analysis of protocols such as the Fiat–Shamir transformation by adapting classical assumptions to quantum adversary capabilities.
Techniques like the measure-and-reprogram method illustrate how the QROM secures protocols despite polynomial losses from quantum query interference.

The Quantum Random Oracle Model (QROM) generalizes the classical random oracle model (ROM) to capture adversaries equipped with quantum computation capabilities, specifically the ability to query the idealized hash function in quantum superposition. The QROM is a foundational tool in post-quantum cryptography, shaping the security analysis of protocols—such as the Fiat–Shamir transform and proof-of-knowledge systems—against quantum adversaries. This article surveys the formalism of the QROM, highlights critical adversarial limitations, and delineates the principal proof techniques for protocol security in this setting, with an emphasis on Fiat–Shamir–style reductions.

1. Definition and Fundamentals of the QROM

In the QROM, the cryptographic hash function is treated as a truly random function $H: \mathcal{X} \to \mathcal{Y}$ available via a quantum-accessible oracle. This oracle is implemented as a unitary operator:

$\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$

where $x \in \mathcal{X}$ , $y \in \mathcal{Y}$ . A quantum adversary may prepare superpositions $\sum_{x}\alpha_x|x\rangle|0\rangle$ and apply $\mathcal{O}^H$ to obtain $\sum_{x}\alpha_x|x\rangle|H(x)\rangle$ , thus querying all points simultaneously in superposition. The adversary can interleave such quantum queries with arbitrary quantum computations and postpone measurement until an optimal point dictated by its attack strategy.

Classical random oracle techniques, especially those relying on the ability to record all queries or reprogram the oracle adaptively after observing certain inputs, must be fundamentally revised for the QROM. The inability for classical simulation to "peek" at superposition queries without disturbance (due to the no-cloning and measurement disturbance principles) forces the adoption of truly quantum-aware simulation and proof strategies (Don et al., 2019).

2. Security Definitions and Adversarial Capabilities

Security in the QROM is defined with respect to quantum polynomial-time (QPT) adversaries that may query the random oracle up to $q$ times in superposition. The security experiment comprises a fixed instance of the oracle and an adversary operating with access to $\mathcal{O}^H$ . The adversary's objective (such as forging a proof or breaking soundness) is subject to standard cryptographic definitions (soundness, proof-of-knowledge), now reinterpreted under quantum access.

Quantum adversaries possess two principal capabilities:

Superposition Querying: Arbitrary quantum superpositions over the domain (enabling search and amplitude amplification techniques distinct from classical algorithms).
Deferred Measurement: Strategic postponement of measurement maximizes attack power—key in attacks against programmable oracles.

Their limitations arise from physical constraints:

Challengers or simulators cannot directly observe which input superpositions have been queried without potentially disturbing the adversary's computation.
Techniques such as "lazy sampling" and straightforward query logging are invalidated in the quantum setting.

Therefore, simulator designs must ensure soundness without such observability, resorting to indirect and probabilistic methods tailored for quantum mechanics.

3. Foundations for Fiat–Shamir in the QROM

A canonical application of the QROM is the Fiat–Shamir (FS) transformation, which converts a public-coin, three-round interactive $\Sigma$ -protocol into a non-interactive protocol by replacing the verifier's random challenge with a hash of the transcript, modeled as a random oracle:

$\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 0

where $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 1 is the statement, $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 2 the prover's first message, and $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 3 the challenge. The prover computes $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 4 and the verifier checks $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 5.

In the QROM, $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 6 must be quantum-accessible. Security questions—such as whether the transformed protocol retains soundness and proof-of-knowledge properties—demand careful reductions that cope with quantum adversarial behavior (Don et al., 2019).

4. Measure-and-Reprogram Technique

The chief innovation enabling security proofs in the QROM for FS-type constructions is the measure-and-reprogram paradigm. Given a $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 7-query quantum adversary $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 8, one can define a two-stage simulator:

Stage 1: Randomly select one of the adversary’s $\mathcal{O}^H: |x\rangle \otimes |y\rangle \mapsto |x\rangle \otimes |y \oplus H(x)\rangle,$ 9 potential queries (including the output) and measure it in the computational basis to obtain a purported critical input (for FS, this might be $x \in \mathcal{X}$ 0).
Stage 2: Reprogram the random oracle at this point to a fresh random challenge $x \in \mathcal{X}$ 1, then continue the simulation.

A core lemma quantifies the (unavoidable) loss in success probability due to this procedure:

For any $x \in \mathcal{X}$ 2-tuple adversary output and any predicate $x \in \mathcal{X}$ 3,

$x \in \mathcal{X}$ 4

where the simulation loss is polynomial in $x \in \mathcal{X}$ 5 and negligible in $x \in \mathcal{X}$ 6 (Don et al., 2019). This measure-and-reprogram lemma is pivotal for preserving soundness and proof-of-knowledge in the FS transform under quantum attacks.

5. Reduction Paradigms and Security Implications

The reduction proceeds by transforming any quantum adversary $x \in \mathcal{X}$ 7 against FS $x \in \mathcal{X}$ 8 into a related adversary $x \in \mathcal{X}$ 9 against the underlying $y \in \mathcal{Y}$ 0-protocol. The reduction succeeds with probability:

$y \in \mathcal{Y}$ 1

Therefore, if the $y \in \mathcal{Y}$ 2-protocol is (computationally/statistically) sound, then so is the FS-transformed protocol, provided $y \in \mathcal{Y}$ 3 is superpolynomial. Similarly, proof-of-knowledge (PoK) properties are preserved, up to the $y \in \mathcal{Y}$ 4 loss (Don et al., 2019). Concretely, these results imply that the security of post-quantum FS-based signatures, such as bare Picnic (Fish), follows in the QROM assuming the underlying $y \in \mathcal{Y}$ 5-protocol is PoK against quantum adversaries and the hash function is collapsing.

This $y \in \mathcal{Y}$ 6 reduction loss, though theoretically non-trivial, is often manageable in practice since $y \in \mathcal{Y}$ 7 (the number of random oracle queries) is typically subexponential.

6. Extensions, Applications, and Consequences

The generic QROM-to-classical reduction applies not only to signatures but to post-quantum NIZKs and other cryptographic constructions. When the underlying $y \in \mathcal{Y}$ 8-protocol admits attributes like unique responses, honest-verifier zero-knowledge, and soundness against quantum adversaries, the entire class of FS-based constructions becomes viable for post-quantum deployment.

Applied to post-quantum signatures, as in the Fish variant in Picnic, the construction is as follows:

$y \in \mathcal{Y}$ 9-protocol (ZKB++ MPC-in-the-head) forms the interactive base.
Fiat–Shamir transformation applied, modeling the hash function as a QROM.
Security (e.g., strong unforgeability) established in the QROM for any $\sum_{x}\alpha_x|x\rangle|0\rangle$ 0-protocol satisfying proof-of-knowledge properties against quantum forgers and using a hash function possessing the collapsing property.

Under these conditions, the reduction is complete, and the result holds even against adaptive attacks (Don et al., 2019).

7. Historical Context and Comparison

The native hardness of lifting ROM proofs to the QROM was previously noted, especially in contexts where classical rewinding and programming techniques fundamentally break down in the presence of superposition queries (Dagdelen et al., 2013). Early impossibility results proved that black-box extraction in the QROM failed for a wide class of FS-style transforms when the first-message of the $\sum_{x}\alpha_x|x\rangle|0\rangle$ 1-protocol is witness-independent, unless modifications (such as oblivious commitments or trapdoor techniques) are introduced.

The measure-and-reprogram paradigm and its modern applications furnished a path beyond these limitations, providing both a general methodology and concrete security bounds for QROM security reductions.

References

"Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model" (Don et al., 2019)
"The Fiat-Shamir Transformation in a Quantum World" (Dagdelen et al., 2013)

Markdown Report Issue Upgrade to Chat

References (2)

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model (2019)

The Fiat-Shamir Transformation in a Quantum World (2013)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Quantum Random Oracle Model (QROM).