We explore the cryptographic power of arbitrary shared physical resources. The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. We call this the Common Reference Quantum State (CRQS) model, in analogy to the well-known Common Reference String (CRS). The CRQS model is a natural generalization of the CRS model but appears to be more powerful: in the two-party setting, a CRQS can sometimes exhibit properties associated with a Random Oracle queried once by measuring a maximally entangled state in one of many mutually unbiased bases. We formalize this notion as a Weak One-Time Random Oracle (WOTRO), where we only ask of the $m$-bit output to have some randomness when conditioned on the $n$-bit input. We show that when $n-m\in\omega(\lg n)$, any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a fully black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQS model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where $m=n$, then hash the output. The impossibility of WOTRO has the following consequences. First, we show the fully-black-box impossibility of a quantum Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC 2013) to the CRQS model. Second, we show a fully-black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt 2019) where quantum bolts have an additional parameter that cannot be changed without generating new bolts. Our results also apply to $2$-message protocols in the plain model.

翻译：本文探讨任意共享物理资源的密码学能力。最普遍的此类资源是在每次协议执行开始时获取新鲜的纠缠量子态，我们将其称为公共参考量子态（CRQS）模型，以类比众所周知的公共参考串（CRS）模型。CRQS模型是CRS模型的自然推广，但似乎更具威力：在双方设置中，CRQS有时能通过以多个互无偏基测量最大纠缠态，展现出单次查询随机预言机的特性。我们将此概念形式化为弱一次性随机预言机（WOTRO），仅要求$m$比特输出在给定$n$比特输入时具备一定随机性。我们证明当$n-m\in\omega(\lg n)$时，CRQS模型中的任何WOTRO协议都可能受到（低效）攻击者的攻击。此外，我们的攻击者可被高效模拟，这排除了通过完全黑盒归约到密码学游戏假设来证明方案计算安全性的可能性。另一方面，我们提出一个针对哈希函数的非游戏量子假设，该假设可推导出CRQS模型中的WOTRO（其中CRQS仅由EPR对构成）。我们首先构建统计安全的$m=n$的WOTRO协议，再对输出进行哈希处理。WOTRO的不可能性产生以下推论：首先，我们证明量子Fiat-Shamir变换的完全黑盒不可行性，将Bitansky等人（TCC 2013）的不可能性结果扩展至CRQS模型；其次，我们针对强化版量子闪电（Zhandry, Eurocrypt 2019）证明完全黑盒不可行性结果，其中量子闪电螺栓具有不可更改的附加参数。我们的结论同样适用于普通模型中的$2$消息协议。