![Page 1: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/1.jpg)
1/10
On Security Notions for Encryptionin a Quantum World
Celine Chevalier 1 Ehsan Ebrahimi 2 Quoc-Huy Vu 1
1Universite Pantheon-Assas Paris II 2University of Luxembourg
![Page 2: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/2.jpg)
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
![Page 3: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/3.jpg)
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
![Page 4: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/4.jpg)
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
![Page 5: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/5.jpg)
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
![Page 6: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/6.jpg)
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
![Page 7: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/7.jpg)
3/10
Prior Results
1 Superposition access to encryption oracle∑x
αx |x, y〉 7→∑x
αx |x, y ⊕ Enc(x)〉
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
![Page 8: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/8.jpg)
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
![Page 9: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/9.jpg)
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
![Page 10: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/10.jpg)
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
![Page 11: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/11.jpg)
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
![Page 12: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/12.jpg)
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
![Page 13: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/13.jpg)
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
![Page 14: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/14.jpg)
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
![Page 15: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/15.jpg)
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
![Page 16: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/16.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 17: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/17.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 18: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/18.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 19: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/19.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
Measuring∑
h |h〉 = h$← U
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 20: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/20.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 21: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/21.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
|x, y〉A |h〉O 7→ |x, y ⊕ h(x)〉A |h〉OFourier
=====⇒Transform
|x, y〉A |h〉O 7→ |x, y〉A |h⊕ Px,y〉O
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 22: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/22.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 23: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/23.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
Initial Oracle State D = {}. Query(x, y,D):
1 If @(x, y′) ∈ D, D = D ∪ {(x, 0)}2 D = D \ {(x, y′)} ∪ {(x, y ⊕ y′)}3 D = D \ {(x, 0)} if ∃(x, 0) ∈ D
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 24: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/24.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 25: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/25.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
The oracle now has information about the adversary’s queries.
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 26: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/26.jpg)
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
![Page 27: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/27.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 28: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/28.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 29: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/29.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
Measuring∑
r |r〉 = r$← U
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 30: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/30.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 31: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/31.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
|x, y〉A |r, fr〉O 7→ |x, y ⊕ f(x; r)〉A |r, fr〉OQFT===⇒ |x, y〉A |r, fr〉O 7→ |x, y〉A |r, fr ⊕ Px,y〉O
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 32: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/32.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 33: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/33.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
Initial Oracle State D = {}. Query(x, y,D):
1 If @(r, x, y′) ∈ D, D = D ∪ {(r, x, f(x; r))}2 D = D \ {(r, x, y′)} ∪ {(r, x, f(x; r)⊕ y′)}3 D = D \ {(r, x, 0)} if ∃(r, x, 0) ∈ D
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 34: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/34.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 35: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/35.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 36: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/36.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 37: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/37.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 38: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/38.jpg)
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
![Page 39: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/39.jpg)
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{⊥ if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
![Page 40: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/40.jpg)
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{⊥ if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
![Page 41: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/41.jpg)
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{x if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
![Page 42: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/42.jpg)
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{x if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
![Page 43: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/43.jpg)
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 π$← Π
4 y? ← Enck(πb(x))
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{x if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
![Page 44: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/44.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 45: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/45.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 46: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/46.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 47: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/47.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 48: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/48.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
Use compressed oracle here
![Page 49: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/49.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 50: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/50.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 51: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/51.jpg)
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
![Page 52: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/52.jpg)
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
![Page 53: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/53.jpg)
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
![Page 54: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/54.jpg)
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
![Page 55: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/55.jpg)
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
![Page 56: On Security Notions for Encryption in a Quantum World](https://reader033.vdocument.in/reader033/viewer/2022061414/629e308cd1d71544f706a56c/html5/thumbnails/56.jpg)
10/10
Thank you!