Quantum Security of Cryptographic Primitives
QQuantum Security ofCryptographic Primitives
Faculty of Computer Scienceof the Technical University of Darmstadt, Germany
Dissertation for the achievement of the titleDoctor rerum naturalium (Dr. rer. nat.)of
Tommaso Gagliardoni, M.Sc. born in Perugia, ItalySupervisor: Prof. Dr. Marc FischlinSecond reviewer: Prof. Dr. Christian SchaffnerSubmission Date: 2016-12-16Defense Date: 2017-02-13Darmstadt, 2017 a r X i v : . [ c s . CR ] M a y his document is an electronic version with minor modifications of the original, publishedthrough the E-Publishing-Service of the TU Darmstadt. http://[email protected] This document is released under the following Creative Commons license:Attribution – NonCommercial – NoDerivatives – International 4.0 http://creativecommons.org/licenses/by-nc-nd/4.0/ cknowledgments
Being a PhD student is a strange experience. I am sure that everyone whogoes through this experience has their own personal stories, difficult momentsto remember, and funny anecdotes to tell. I, for one, can truly say that theselast five years have been exciting, funny, and productive. In short, they havebeen intense, and I can really say at the end that I have grown up a lot, bothfrom an academic and from a personal perspective.All of this I owe to my advisor, Marc Fischlin. If I could travel backin time and I were given the choice of applying as a PhD student again, at any one research group I possibly wished for, I would still spam ruthlesslymy application to Marc. He taught me a lot of things which go well beyondacademic matters, and I value his guidance immensely. When I was acceptedin Marc’s group in 2011, I was not aware at the time of how privileged I was.Now I am, and for this I will owe forever a debt of gratitude to Marc.Being part of the group was a great experience, and I really would liketo thank a lot my present and former colleagues for this. I am particularlygrateful to Andrea for being always there to help me with the bureaucracy,to Giorgia for helping me to support the thesis that Hawaii Pizza is a mortalsin, to Özgür for taking care of me during my first months in Darmstadt, andto Paul for sharing with me a lot of good time, laugh, and hate for pigeons.I am also very grateful to Arno, Chris, Christian, Cristina, Felix, Jacqueline,Pooya, Sogol, and Victoria, for their friendship and support. Thank you all!I would also like to thank all my coauthors for many successful collabora-tions and for having helped me a lot into expanding my scientific knowledge.Sometimes collaboration turned into sincere friendship as well, and thereforeI would like to thank in particular Gorjan Alagic, Andreas Hülsing, NikolaosKarvelas, and Christian Schaffner for the priceless time spent together.Finally, I would like to thank my family for their endless love and support.I will always look at you as an example and a guidance, and I strive to makeyou proud of me every day of my life. Thanks. Tommaso GagliardoniDarmstadt, December 2016iii bstract
We call quantum security the area of IT security dealing with scenarios whereone or more parties have access to quantum hardware. This encompasses boththe fields of post-quantum cryptography (that is, traditional cryptography en-gineered to be resistant against quantum adversaries), and quantum cryptog-raphy (that is, security protocols designed to be natively run on a quantuminfrastructure, such as quantum key distribution ). Moreover, there exist also hybrid models , where traditional cryptographic schemes are somehow ‘mixed’with quantum operations in certain scenarios. Even if a fully-fledged, scalablequantum computer has yet to be built, recent results and the pace of researchin its realization call for attention, lest we suddenly find ourselves one day withan obsolete security infrastructure. For this reason, in the last two decades re-search in quantum security has experienced an exponential growth in interestand investments.In this work, we propose the first systematic classification of quantumsecurity scenarios, and for each of them we recall the main tools and results,as well as presenting new ones. We achieve this goal by identifying four distinct quantum security classes , or domains , each of them encompassing the securitynotions and constructions related to a particular scenario. We start withthe class QS
0, which is ‘classical cryptography’ (meaning that no quantumscenario is considered), where we present some classical constructions andresults as a preliminary step.Regarding post-quantum cryptography, we introduce the class QS
1, wherewe discuss in detail the problems arising when designing a classical crypto-graphic object meant to be resistant against adversaries with local quantumcomputing power, and we provide a classification of the possible quantum secu-rity reductions in this scenario when considering provable security. Moreover,we present results about the quantum security and insecurity of the
Fiat-Shamir transformation (a useful tool used to turn interactive identificationschemes into digital signatures), and ORAMs (protocols used to outsource adatabase in a private way).In respect to hybrid classical-quantum models, in the security class QS quantum oracle access . Wealso provide a novel framework for the quantum security (both in terms ofvi Abstract indistinguishability and semantic security) of secret-key encryption schemes ,and we give explicit secure constructions, as well as impossibility results.Finally, in the class QS quantum encryption schemes (both in the secret- and public-key scenario),and we introduce transformations for obtaining such schemes by conceptuallysimpler schemes from the class QS
2. Moreover, we introduce a quantumversion of ORAM, called quantum ORAM (QORAM) , aimed at outsourcing ina private way a database composed of quantum data. In proposing a suitablesecurity model and an explicit construction for QORAMs, we also introduce atechnique of independent interest which models a quantum adversary able toextract information from a quantum system without disturbing it ‘too much’.We believe that the framework we introduce in this work will be a valuabletool for the scientific community in addressing the challenges arising whenformalizing sound constructions and notions of security in the quantum world. ontents viiiii
Contents
Bibliography 157 hapter Introduction
Cryptography is the subdiscipline of mathematics studying information secu-rity , that is, the processing of information in presence of an adversary. Thisincludes goals such as communication secrecy, message authentication, iden-tity verification, multiparty computation, and much more. In the modern eraof electronic information processing, cryptography is an area of crucial impor-tance, and its applications are ubiquitous.Modern cryptography is based on provable security . This is a method-ological approach to assessing the security of a cryptosystem, where rigorousmathematical models and proofs are required in order to show that the securityof the cryptosystem can be formally validated. Arguably the most importantbranch of provable security, from a practical standpoint, is computational se-curity , which aims at reducing the security of a cryptosystem to some basic hardness assumptions in a mathematically sound way. Hardness assumptionsare inherent to the difficulty of solving certain mathematical problems (suchas integer factorization) which, for theoretical or historical reasons, are widelyconsidered to be very hard to solve even with the help of the most powerfulsupercomputers known today. If a given cryptosystem is computationally se-cure, this means that on one hand it is always theoretically possible for anadversary with enough computational resources to break the security of thatcryptosystem. But on the other hand, doing so would reguire either an unrea-sonable amount of time (modern standards of security often refers to manytimes the age of the universe), or an unreasonable amount of computationalresources (storage, memory, power, etc.), or both.The advantage of having a provably secure cryptosystem is that, as longas the security model used is sound and the underlying hardness assumptionshold, one can stay assured that the cryptosystem cannot be ‘broken’. Thisis in stark contrast with the ‘heuristic’ approach to cryptography employeduntil the ’70s, where cryptosystems were designed to be secure according tothe intuition of the authors, and the only guarantee of that security was givenby the ‘test of time’, in the sense that nobody would find a way to attack the1
Chapter 1. Introduction cryptosystem for a long enough time. This approach has turned cryptographyfrom a mere engineering exercise to a logical-deductive discipline.However, the effectiveness of provable security strongly relies on the hard-ness assumptions used, which are not guaranteed . Good hardness assumptionsare based on the observation that algorithmical advances on solving the un-derlying mathematical problem would imply (unlikely) breakthrough resultsof scientific importance. However, all of these assumptions are also based onthe belief that the future computing technology will never be inherently dif-ferent from today’s, save for a somewhat expected increase in performance,due to engineering improvements.
This is where quantum computers come into play. Quantum computers [Fey82]are machines, first theorized by Richard Feynmann in the early ’80s, whichare not based on the laws of classical physics like traditional computers are,but on the laws of quantum mechanics instead. Quantum mechanics is a veryfundamental scientific theory, which has revolutionized physics since the early20th century. Despite requiring a quite involved mathematical formalism andleading often to very counterintuitive consequences, it has routinely succeededin predicting experimental results which classical physics could not explain.From a formal point of view, a quantum computer is a mathematical modelwhere the laws of quantum mechanics are exploited to perform some kind ofcomputation, in a much more efficient way than traditional computers. Quan-tum computers promise to revolutionize the Age of Information as we knowit. The ability to store, transmit, and process quantum data opens a world ofnew possibilities in the area of information processing. Simplified [ARTL15]or limited models [TCM +
16] of quantum computers have already been built,and everything from the experiments performed so far seems to confirm thevalidity of the underlying theory and the viability of the technology. Al-though a fully-fledged, scalable quantum computer has yet to be built, recentresults [OBK +
16] and the pace of research in its realization seem to hint atthe fact that quantum computing might soon become a reality.
Post-Quantum Cryptography
It turns out that, due to the effects predicted by quantum mechanics, quan-tum computers can perform tasks which are not possible with any classicalcomputing device, present or future. The breakthrough result in this direction(which sparked a lot of interest for quantum computing in the area of cryptog-raphy) is the 1994 work by Peter Shor [Sho94], who showed how for a quantumcomputer it is possible to factor large integers efficiently, a mathematical taskconsidered to be unreasonably difficult until then, and at the base of manymodern cryptosystems such as RSA [RSA78]. Subsequent works have shown .1. Security in a Quantum World discrete logarithm [Wat01] on finitefields and elliptic curves, search on unstructured database [Gro96], collisionfinding [BHT98], and many others. Given that these are all hardness assump-tions at the base of the security of cryptosystems [DH76, Gam84, JMV01]widely adopted in the industrial, banking, and military sectors amongst oth-ers, it is clear how the realization of a scalable quantum computer would posea threat to modern IT infrastructures.A sound notion of security should be proactive , i.e., trying to take coun-termeasures against a reasonable future threat before the threat manifestsitself. For this reason, cryptography has tried to address the looming dangerof quantum computing since the early ’90s. The idea is to find new mathemat-ical problems which are supposed to be ‘hard’ even for quantum computers,so that new, ‘quantum-immune’ cryptosystems can be constructed by relyingon such new quantum computational hardness assumptions. These are prob-lems such as finding short vectors on lattices (which are geometric structuresof a certain form), inverting hash functions, decoding certain types of linearcodes, and a few others. The branch of cryptography dealing with the mathe-matical analysis of these assumptions and the construction of new cryptosys-tems based on such assumptions is called post-quantum cryptography [BBD09].Post-quantum cryptography is today a thriving branch of information secu-rity, and so far it has been quite successful at designing cryptosystems whichare at the same time reasonably efficient on today’s hardware, and based onproblems which are believed to be quantum-hard.However, post-quantum cryptography has two fundamental issues.The first problem is that security proof techniques that have been devel-oped for traditional cryptosystems might fail when ‘translated’ to the quan-tum scenario. A typical example is rewinding , a technique used in the securityproofs of many cryptosystems, which roughly consists in modeling a scenariowhere the adversary is first run once, then rewound, partially reset, and thenre-run again, in order to extract two different but related ‘adversarial tran-scripts’ that are then used somehow in the security proof. The problem is thatrewinding often does not work with quantum adversaries, because the natureof quantum mechanics does not guarantee that a ‘partial reset’ of a quantumcomputer is always possible.Proof failures of this kind have often been ignored in the post-quantumcommunity in the past, and there are examples of attempts to ‘patching’ non–post-quantum cryptosystems into post-quantum ones, by merely replacing theunderlying hardness assumption with a quantum-hard one, and ignoring thefact that in so doing the security proof might become invalid.The second problem of post-quantum cryptography is the often incompleteunderstanding of sound security models in the quantum world. One thing isto say that “the cryptosystem should be secure against a quantum adversary” ,another thing is to formalize mathematically what this exactly means. Models
Chapter 1. Introduction that are used for classically secure schemes are sometimes not adequate tomodel quantum security, and this can lead to confusion.A typical example is the case of the random oracle model (ROM) , which isa formal paradigm widely used in security proofs. A random oracle is a purelymathematical construct which is completely independent from the type ofadversary considered, and there are hence no exotic technical difficulties inadopting such paradigm in security proofs for post-quantum cryptosystems.In fact, such approach has been taken before, and there exist in literaturecryptosystems advertised as ‘post-quantum’ just because they are based onquantum-hard problems and provably secure in the ROM.A random oracle, however, is just an abstraction describing an idealizedmodel of hash function, which is an algorithmic object eventually run on acomputing device. As the code for such a hash function is usually public, it isreasonable to assume that an adversary equipped with a quantum computercould run the code on his quantum machine, and therefore would be able toaccess the hash function in a way which is not modeled anymore by the ROM.For this reason, in a sound post-quantum security analysis, the random oraclemodel should always be avoided, and replaced by a different, more involvedmodel called quantum random oracle model (QROM) . It can happen thatschemes proven secure in the ROM become insecure in the QROM [BDF + Quantum Cryptography
On one hand, quantum computing poses new challenges for modern cryptog-raphy, as many of the currently used cryptographic schemes and protocolsbase their security on the hardness of certain mathematical problems whichare known to be easily solvable by a quantum machine. On the other hand,quantum computers open up new possibilities in secure information process-ing, as they can also be used ‘defensively’ in order to reach unprecedentedlevels of privacy, integrity, and trusted authentication. Importantly, it is oftenthe case that such applications do not even require a fully-fledged scalablequantum computer, but only quantum hardware of modest technological en-gineering difficulty, which is already commercially available and deployed inmany applications worldwide.A typical example is quantum key distribution (QKD) [BB14], where tworemote parties aim at establishing a secure communication channel by ex-changing a secret key, employing the exchange of elementary quantum infor-mation packets ( qubits ) through a quantum channel. This can be technologi-cally done, for example, by transmitting polarized photons through an optic .2. Contribution and Structure of this Work + encryp-tion of quantum data [ABF +
16] or quantum authentication [BCG + inherently impossible without quan-tum data, and which only make sense when considering a ‘fully quantuminfrastructure’, such as quantum money [Aar09] or delegated quantum compu-tation [DFPR14].In general, quantum computers promise to revolutionize the Age of Infor-mation as we know it. The ability to store, transmit, and process quantumdata opens a world of new possibilities in the area of information process-ing. Quantum cryptography is the branch of cryptography which deals withdesigning secure cryptographic solutions which are natively meant to be runon a quantum hardware - this includes QKD and all of the other examplesabove, and still others. Quantum cryptography is a relatively recent area ofstudy of modern cryptography, and there is still much to be done in terms ofinventing new cryptosystems, creating correct security models, and figuringout the relations between classical and quantum cryptographic constructions.
We define ‘quantum security’ to be the discipline dealing with all the scenarioswhere one or more parties have access to quantum hardware. This encom-passes both the fields of post-quantum cryptography, quantum cryptography,and also hybrid models , where traditional cryptographic schemes are somehow‘mixed’ with quantum operations in certain scenarios. The term ‘quantumsecurity’, although having appeared in the scientific literature before, hasoften been used used inconsistently from one work to another (see, for ex-ample, [Zha12a, Unr13, KM12, BCD + quantum se-curity classes , or domains , each of them encompassing the security notionsand constructions related to a particular scenario. We denote these classesby QS (standing for ‘quantum security’), followed by a number identifyingthe class. For each of these classes we recall known notions and results, aswell as providing some results which are new or appearing in one or more of Chapter 1. Introduction the author’s publications. We start with a preliminary section in
Chapter 2 where we recall some basic concepts and notation, and then we proceed bypresenting the four quantum security classes in the following chapters.As it often happens in academic research, many of the results presentedin the various chapters of this thesis stem from collaborative projects, whereeach individual achievements can be contributed by several, and most often all,researchers participating in that project. This makes it hard, if not impossiblesometimes, to pinpoint who contributed to which specific part of the overallwork. At the beginning of chapters 3, 4, 5, and 6, we will give an account ofthe results presented in that chapter which are novel or appearing in some ofthe author’s publications.
QS0
We start in
Chapter 3 with the class QS
0, which is ‘classical cryptography’(meaning that no quantum scenario is considered), where we present someresults about traditional cryptography as a preliminary step. In this chapterwe introduce security models for different classical cryptographic primitives,and we also introduce other building blocks and transformations from oneprimitive to another. More in detail, first we define and analyze in Section 3.1some of the building blocks used in modern cryptography: pseudorandomnumber generators, functions, and permutations .Then we look at the security models (and some example of constructions)for secret-key and public-key encryption schemes , in sections 3.2 and 3.3 re-spectively. We do it by looking at both the security models of semantic security and indistinguishability of ciphertexts .In Section 3.4, we discuss digital signature schemes , both in the standardmodel and in the ROM, and we show how to obtain secure signature schemesthrough the
Fiat-Shamir transformation in Section 3.5.Finally, in Section 3.6, we introduce oblivious random access machines(ORAMs) , which are interactive protocols used to privately outsource a largedatabase. We look at PathORAM, one of the most famous of such protocols,by using the formalism introduced in [GKK17].
QS1 In Chapter 3 , we look at post-quantum security, and we call QS quantum accessto classical oracles . We conclude this section with a classification of possiblequantum security reductions which, to the best of the author’s knowledge,does not explicitly appear in existing literature. .2. Contribution and Structure of this Work post-quantum hard-ness assumptions , such as post-quantum one-way functions and post-quantumone-way trapdoor permutations .In Section 4.4 we discuss post-quantum security notions for encryptionschemes, both in the secret-key and public-key scenario, and we show somebasic constructions. Then we discuss post-quantum digital signatures in Sec-tion 4.5. We do this both for the standard post-quantum model and for thequantum random oracle model.We proceed in Section 4.6 to the analysis of the Fiat-Shamir transforma-tion in the quantum random oracle model. We provide here both a positiveand a negative result: if the underlying identification scheme has certain prop-erties, then the Fiat-Shamir transform of that scheme yields a secure signaturescheme in the quantum random oracle model. However, if the underlying iden-tification scheme has different properties, it is possible to find an argument(using the technique of meta-reduction ) which shows that security proofs of acertain form cannot be found at all. The surprising result here is that identi-fication schemes having the latter type of properties are usually less desirable (in terms of security) than the former ones. We exploit this fact by showing acounterintuitive but efficient technique to ‘strengthen’ the quantum securityof a signature scheme obtained through the Fiat-Shamir transformation by‘weakening’ the security of the underlying identification scheme.Finally, in Section 4.7 we look at post-quantum ORAMs, and at sufficientand necessary conditions to obtain a post-quantum version of PathORAM. QS2 In Chapter 5 , we look at superposition-based quantum security , and we call QS extra security guarantees againstquantum adversaries are required in respect to the ‘post-quantum’ definitionof security. We model these new scenarios in terms of quantum oracle accesscapabilities of the adversaries, explaining when such access is already impliedin QS QS obfuscation and fault attacks ,as explained in Section 5.1. But very often they also stem from ambiguousinterpretations of the ‘post-quantum’ setting (as defined in QS
1) sometimespresent in the literature. From this point of view, one of the most importantcontributions of this thesis is to formally clarify the distinction between thesetwo security classes.
Chapter 1. Introduction
In Section 5.2 we look at what happens when considering cryptographicbuilding blocks in the new scenarios. It turns out that, in respect to thepost-quantum scenarios, nothing changes for most of them, with two notableexceptions: quantum secure pseudorandom functions and permutations.Finally we discuss quantum-resistant encryption schemes in Section 5.3,with a special emphasis on the secret-key case. For such schemes, we providenew notions of indistinguishability and semantic security, as well as secureconstructions and impossibility results.
QS3
Finally, in
Chapter 6 , we leave the realm of classical cryptosystems, and welook at quantum cryptosystems , that is, cryptosystems meant to be nativelyrun on quantum hardware.First we look at quantum encryption (that is, quantum algorithms for theencryption of quantum data) both in the secret-key (Section 6.1) and public-key (Section 6.2) scenarios. For both cases we provide security notions, as wellas new constructions. We also show a novel technique for building encryptionschemes secure in the QS QS quantum ORAMs (QORAMs) in Section 6.3. Thisis a new primitive (basically a quantum version of ORAM) which is aimedat outsourcing in a private way a database composed of quantum data. Inproposing a new security model and an explicit construction for QORAMs,we also introduce a novel technique of independent interest which modelsa quantum adversary able to extract information from a quantum systemwithout disturbing its state ‘too much’. The idea of quantum security as defined in this work is to encompass differenttypes of scenarios which have in common the secure management of informa-tion in presence of quantum devices. Therefore, the existing related literaturein this respect is vast, and we only cite a few key works here.The term ‘post-quantum cryptography’, as meant in the QS + .3. Related Work + QS + QS hapter Preliminaries
In this chapter we discuss the notation and provide basic definitions used inthe rest of this work.
We start with a few basic concepts, mathematical notation and terminology.In the rest of this work, ‘w.l.o.g.’ stands for ‘without loss of generality’, ‘iff’stands for ‘if and only if’, and ‘classical’ means ‘non-quantum’.Numbers, strings, and generic atomic objects are denoted by default aslowercase letters, e.g., a, b, x, y . In particular, indices for sequences or familieswill be often denoted by n, m, i, j, k . Sometimes inputs and outputs of analgorithm will be denoted by lowercase Sans Serif script, e.g., com , state , sig .The security parameter is n , or 1 n when expressed in unary notation.Special symbols are ⊥ (usually denoting ‘error’, or ‘lack of meaning’) andthe lowercase Roman i (denoting the imaginary unity, √− k denotes concatenation of bit strings , and the symbol 0 k (resp. 1 k ) denotes a k -bit string of zeroes (resp., ones). For a bit string (or natural number) x we denote its bit size (or bit length) as | x | . If x is a non-integer number, | x | denotes its absolute value. If x is a complex number, | x | denotes its complexmodulus, and x its complex conjugate.Families or collections of objects (sets, functions, probability distributions)are of the form ( A n ) n , ( X j,k ) j,k , where individual elements of the family areindexed, e.g., A n , X j,k . However, if there is no ambiguity in the choice ofthe index (usually this is the security parameter), such families are labeled inshort just as A , X , etc.Sets are usually denoted by uppercase letters, e.g., T, X, Y , except forspecial sets such as ∅ , N , R , C , and the set of all permutations on a set X ,denoted by S ( X ). The set of all finite bit strings or words is { , } ∗ . However,sets of bit strings will often be presented as families, where each member ofthe family contains bit strings of the same length. In this case, sets will be112 Chapter 2. Preliminaries denoted by T , X , Y instead, being understood that, e.g., X = ( X n ) n , where X n only contains bit strings of length (cid:102) ( n ) for some positive (usually polynomial)function (cid:102) . The cardinality (number of elements) of a set X is denoted by | X | . Set operations are ∪ (union), ∩ (intersection), \ (set difference), and × (Cartesian product). If a tuple ( x, y, z ) ∈ X × Y × Z , then single entries ofthe tuple are isolated by writing, e.g., ( x, y, z ) X YZ (cid:12)(cid:12)(cid:12) Y = y .Functions (from sets to sets) are denoted by lowercase calligraphic letters,e.g., (cid:102) , (cid:103) , ‘ : X → Y . Borrowing a commonly used notation when defining‘small’ quantities (relative to some parameter), exceptions to this notationare special functions ε and δ .However, when a function is actually a family (indexed, for example, interms of the bit size of the input) then it is denoted by uppercase calligraphicletters, e.g., F , G , L . Commonly, in this case, domain and target space of thesefunctions are also indexed as families, in relation to the bit size of the function’sinput. For example, F : X → Y represents a function F from set X to set Y ,which can be seen as a family of functions ( F n ) n , where F n : X n → Y n .A (real-valued) function (cid:102) is polynomially bounded iff there exists a polyno-mial function (cid:112) and an element ¯ x such that | f ( x ) | ≤ (cid:112) ( x ) , ∀ x with | x | > | ¯ x | . Inthis case we write (cid:102) = poly . A (real-valued) function ε is negligible iff, for anypolynomial function (cid:112) , there exists an element ¯ x such that | ε ( x ) | < (cid:112) ( x ) , ∀ x with | x | > | ¯ x | . In this case we write ε = negl .Lowercase Greek letters denote quantum states, either pure ones whenwritten in bra-ket notation (e.g., | ϕ i , | ψ i ) or mixed ones when written without(e.g., σ, ρ ). Exceptions are the symbols δ and ε , as already discussed, and λ (used for eigenvalues). Uppercase Greek letters (Σ , Γ , Θ) are reserved forspecial purposes, usually to denote quantum channels.Data structures (trees, blocks) are labeled with Typewriter script, e.g., tree, block, node . Probability
Distributions are denoted by uppercase calligraphic letters, e.g., D , P , U . Dis-tribution ensembles, or families, are denoted by ( D n ) n , ( P n ) n , etc. As usual,if there is no ambiguity in the choice of the index (usually this is the securityparameter), such families are labeled in short just as D , P , etc., with individualmember distributions being D n , P n , etc.If D is a distribution over a set X , then sampling an element x from thedistribution is written as x D ←− X (or, a shorthand notation when the domainis clear, just x ← D ). Sampling an element uniformly at random from a set R is written as r $ ←− R .The support of a distribution D over a set X is the subset of elementswith non-zero probability, i.e., { x ∈ X : Pr[ x ← D ] > } . The cardinality of adistribution is the cardinality of its support. .1. Basic Notions D is a distribution over X × Y , then we denote the distribution on X induced by D as D X := D (cid:12)(cid:12)(cid:12) X , and the sampling as D X → x where x := ( x, y ) (cid:12)(cid:12)(cid:12) X .The total variation distance (or, statistical distance ) of two distributions D , D is defined as: |D − D | := X x | Pr[ x ← D ] − Pr[ x ← D ] | . Linear Algebra
Vectors are denoted either as tuples (e.g., ( x , . . . , x n )) or as boldface char-acters for the notation of the corresponding components (e.g., x ). The zerovector is denoted as . Matrices (linear operators between two vector spaces)are denoted by uppercase letters, e.g., A, B, M . (unless families, in that case A , B , M etc., as previously explained), except for the special symbols zeromatrix (or null operator) over n elements (denoted by O n ), and the identitymatrix (or identity operator) over n elements (denoted by I n ). If M is an n × m matrix (which includes the case of vectors or scalars if n or m equals 1),then M T denotes its m × n transpose, M denotes its n × m complex conjugate,and M † denotes its m × n Hermitian conjugate (or adjoint) M T = M T . If M is an n × n matrix with non-zero determinant, its unique inverse is denoted by M − . An n × n matrix (or linear operator) M is Hermitian if M = M † , and unitary if M † = M − . The trace of a square matrix M is denoted by tr( M ),and it is the sum of the elements on the diagonal.A complex Hilbert space is a complex vector space H , together with aninner product operation h ., . i : H × H → C such that H (seen as a metricspace) is complete in respect to the metric k x k := p |h x, x i| induced by theinner product. Unless otherwise specified, the inner product adopted here isalways the scalar product: h x , y i := xy † = ( x , . . . , x n ) y ... y n = X i x i y i The norm induced by the above product is the
Euclidean norm , and it isdenoted by k x k . The Euclidean distance between two vectors x and y ishence k x − y k . The dimension of a Hilbert space is the cardinality of aminimal set of orthonormal elements spanning the whole space. Such a set iscalled a basis for the complex Hilbert space, and it is not unique. In this workwe only consider finite-dimensional complex Hilbert spaces.4 Chapter 2. Preliminaries
In this section we recall the basic concepts and notation related to classicalcomputation and complexity theory. The topic is of course vast and here wedo not cover in depth every aspect of it. For a more complete treatment ofthe aspects of computation and complexity theory we refer to [AB09].
Circuits and Algorithms
The fundamental objects of study of computation theory are algorithms , whichare sequences of elementary operations applied to some input data; the goalis to perform some procedure on those input data to produce some output.The complexity of an algorithm can refer to the number of elementary stepsperformed, the running time, the memory consumption, or any other resourceused during its execution. Such complexity is expressed in relation to the instance size of the computation, which is a positive integer expressing the‘size’ of the computational problem which the algorithm has to solve in orderto perform the desired computation; this parameter is usually (related to) thebit size of the input. The complexity of an algorithm is then expressed as afunction of the instance size: for example, if an algorithm A has complexityat most O ( n ) for instance size n , we say that A has ‘quadratic complexity’.An algorithm is deterministic if it produces always the same output for thesame input, while it is probabilistic if it also takes an additional input (of sizeat most polynomial in the instance size) drawn from uniform random bits; itsoutput is hence expressed as a distribution over these ‘internal random coins’.In this work we only deal with time complexity , i.e., we count as complexitythe execution time of the algorithm. Time complexity is expressed in terms ofthe number of elementary operations performed by the algorithm, regardlessof their nature, i.e., we assume for simplicity that any elementary operation(be it an addition, logical AND, division, etc.) takes one unit of time toexecute. Moreover, as common in cryptography, we call the instance size the security parameter , denoted by n . DPT stands for ‘(Boolean) deterministicpolynomial time’, while
PPT stands for ‘(Boolean) probabilistic polynomialtime’, where ‘Boolean’ refers to the fact that the algorithm operates on bitstrings and performs elementary Boolean (bit) operations.Traditionally, the two most commonly used models used to describe aclassical algorithm are
Turing machines and
Boolean circuits . • A Turing machine is a mathematical model describing an abstract ma-chine with an internal state, acting on a data tape and performing op-erations according to a pre-specified set of rules. • Boolean circuits are acyclic directed graphs where the nodes are eitherinput bits, output bits, or elementary (Boolean) operations. Complexityin this case is given by the total number of gates in the circuit. .2. Classical Computation n as input, runs in time at most polynomial in n , and outputs adescription of the n -th member of the circuit family. So, for example, a PPT algorithm A is a family of Boolean circuits A := ( A n ) n such that:1. there exists a Turing machine M such that, on input 1 n , M runs in time O ( poly ( n )) and outputs a description of A n ; and2. A n is a Boolean circuit of size O ( poly ( n )), taking as input a poly ( n )-bit value and a poly ( n ) many uniformly random bits, and producing a O ( poly ( n ))-bit output.Algorithms, being families of circuits, are denoted by, e.g., A := ( A n ) n . Whenstudying an algorithm which is a subroutine of another algorithm, or wherewe do not want to stress that it is a family, or anyway for clarity of notation,we use math Sans Serif script (e.g., Access , KGen , Enc ). Every algorithm always gets as input at least the security parameter, so we will ignore it inthe notation, being understood that such input is always present. In orderto express that a deterministic algorithm A , on input a value x , produces anoutput y , we write: y := A ( x ) or, equivalently, A ( x ) =: y . For a probabilisticalgorithm instead, the notation becomes y ← A ( x ) (or, equivalently, A ( x ) → y ). However, if the output of a probabilistic algorithm A is written as A ( x ) = y , that is a shorthand notation for: Pr [ A ( x ) → y ] = 1, where the probabilityis taken over the internal randomness of A . If an algorithm’s only input is thesecurity parameter (which we omit from the notation, as said), we only write,e.g., A =: y , or A → y if probabilistic.The random coins of a probabilistic algorithm are almost always omit-ted from its input, so we write simply, e.g., A ( x ) → y ; however, if for somereason it is necessary to ‘de-randomize’ the algorithm (that is, to considerthe deterministic algorithm obtained by fixing a particular choice of random-ness r ), we write this as A ( x ; r ) =: y . If A is probabilistic, then the notationPr [ A ( x ) → y ] is meant as ‘probability over the randomness of A , for that par-ticular value x ’, while Pr x ∈X [ A ( x ) → y ] (or Pr x ←X [ A ( x ) → y ]) means ‘overthe randomness of A , averaged over the uniform distribution on X ’. However,if A is deterministic, then Pr x ∈X [ A ( x ) → y ] (or Pr x ←X [ A ( x ) → y ]) is givenby the fraction |{ x ∈X : A ( x )=: y }||X | .Abusing notation, we express sometimes algorithms as (families of) func-tions from (families of) sets of inputs to (families of) sets of outputs. So, forexample, A := ( A n ) n : X ×Y → Z ×{ , } ∗ means that, for every n ∈ N , A n isa Boolean circuit taking as input one element of X and one element of Y n , andoutputting one element of Z n and one extra bit string of unspecified length. Ifan algorithm only takes as input the security parameter and outputs elementsin X we write just: A : → X .6 Chapter 2. Preliminaries
Algorithms can be interactive , and communicate with each other. A specialcase is given by stateful algorithms, which have an internal state variable whichcan be updated and stored across different executions of the same algorithm(in this sense, the algorithm ‘communicates with his future self’). In order torepresent this communication, three different notations can be used.1. Explicit state transport. For example, if A = ( A , A ) and one wantsthe first stage algorithm A to communicate some information to thesecond stage A , we write something like: A ( x ) → ( y, state ) A ( z, state ) → w where state , when left unspecified, is a bit string of size polynomial inthe security parameter, carrying the information to be transmitted.2. Circuit self-output, used in particular for stateful algorithms. For exam-ple, if A is the algorithm in the initial state, then A ‘outputs y and adescription of its own updated state’ as: A ( x ) → ( y, A ). If using thisnotation, from now on A cannot be invoked again anymore. Instead, A is run on some other input a and updates itself as: A ( a ) → ( w, A ).From now on, A cannot be invoked anymore. Instead a fresh invocationcan be written as: A ( w, y, b ) → ( u, r, A ), and so on.3. Communication transcript. In this case, two or more algorithms com-municate back and forth through a communication channel (which isa shared register between the two circuits). The ‘history’ of the con-tent of such register during the execution of two algorithms A and B is called communication transcript com , and it is usually denoted as: com ← hA ( x ) , B ( y ) i .If an algorithm A has oracle access to another algorithm (or family offunctions) O , this is written as A O . In this case, it is understood that A cancommunicate with O through O ’s input and output registers solely, while A does not know anything else about O ’s structure, code, or working details.Such communication is called query : A queries O on input value x , then O computes the answer y ← O ( x ) and finally y is sent back to A . In this case, O ’s running time is ignored: it is always assumed that one oracle invocationtakes one unit time to execute, regardless of O ’s running time. Giving A oracle access to another resource O models the case where A is given ‘extrapower’ in performing a certain task, without having to deal with the exactway this task is performed. .2. Classical Computation Computational Complexity Theory
Complexity classes are families of problems with related asymptotic difficulty.Their definition is often given in terms of language verifiers : a language is asubset of { , } ∗ , and a verifier for a language is an algorithm which checks if agiven input bit string belongs to that language (outputs 1) or not (outputs 0).In this work we only consider the following three classical complexity classes. • P is the set of all languages L for which there exists a DPT algorithm M such that:1. ∀ x ∈ L = ⇒ M ( x ) = 1; and2. ∀ x / ∈ L = ⇒ M ( x ) = 0.Informally, P is the set of all problems which are ‘easy to solve’, in thesense that a solution for a given problem instance of size n can be founddeterministically in time at most polynomial in n . • BPP is the set of all languages L for which there exists a PPT algorithm M and a positive constant c such that:1. ∀ x ∈ L = ⇒ Pr[ M ( x ) → ≥ + c ; and2. ∀ x / ∈ L = ⇒ Pr[ M ( x ) → ≥ + c .Informally, BPP is the set of all problems which are ‘easy to solve withhigh probability’, in the sense that a solution for a given problem in-stance of size n can be found with high probability in time at most poly-nomial in n . It is currently unknown whether P = BPP or not [Gol11]. • NP is the set of all languages L for which there exists a DPT algorithm M and a polynomial (cid:112) such that:1. ∀ x ∈ L ∃ y ∈ { , } ∗ with | y | ≤ (cid:112) ( n ) such that M ( x, y ) = 1; and2. ∀ x / ∈ L , ∀ y ∈ { , } ∗ with | y | ≤ (cid:112) ( n ) = ⇒ M ( x, y ) = 0.Informally, NP is the set of all problems which admit a ‘solution easy tocheck’. in the sense that a candidate solution for a given problem instanceof size n can be tested deterministically in time at most polynomial in n . It is currently unknown whether P = NP or not [AB09].Let L ∈ NP be a language with a (polynomially computable) relation R ,i.e., there exists a DPT algorithm
Rel and a polynomial (cid:112) such that x ∈ L iffthere exists some w ∈ W ⊂ { , } ∗ such that ( x, w ) ∈ R and | w | ≤ (cid:112) ( | x | ) ∀ x ,where ( x, w ) ∈ R ⇔ Rel ( x, w ) = 1. We say that w is a witness for x ∈ L (and x is called a theorem or statement ). We sometimes use the notation R n todenote the set of pairs ( x, w ) in R of complexity measured in relation to thesecurity parameter, e.g., if | x | = n . In this case, with abuse of notation weidentify the relation R with the algorithm testing its membership Rel .8 Chapter 2. Preliminaries
In this section we briefly recall the basic concepts and terminology used inmodern cryptography.
Provable Security
Traditionally, cryptography has been seen for a long time as a ‘cat-and-mouse’game, in the sense that the only way to validate the quality of a proposedcryptographic object was to perform some sort of cryptanalysis on it (i.e.,‘trying to break it’), and then trying to fix the vulnerabilities potentiallyfound, until new flaws were found, and so on. Under this perspective, thecriterion to decide whether a cryptographic object should be trusted or not isjust ‘the test of time’, in the sense that no new vulnerabilities are being found‘for a long time’.However, this paradigm has shifted radically in the last ~30 years. Themodern approach to defining good practice in cryptography is provable secu-rity , which is a paradigm involving a rigorous mathematical analysis of thecryptographic object, adversarial model, and security assumptions. In prov-able security, when analyzing a cryptographic scheme, one needs to providerigorous definitions and models for the following aspects:1. the functionality of the cryptographic object, i.e., what exactly is thegoal that the object wants to achieve;2. the adversary model , i.e., what does a ‘reasonable’ adversary against theobject look like? What does the adversary want to achieve? When canwe say that he is ‘successful’?3. The security proof , i.e., a mathematical proof showing that, under thespecified model and some basic, commonly accepted assumptions, it ispossible to rule out any successful adversary against the cryptographicobject in exam.It is important to distinguish between two different concepts of security. • Information-theoretical (or, statistical) security.
In this case, the proofof security aims at showing that the behavior of the cryptographic objectis statistically equivalent (in the sense that it produces a distribution ofoutputs at most negligibly different) to the behavior of an idealized ob-ject , against which no successful attacker can exist by definition. Forexample, an information-theoretical secure encryption scheme producesa distribution of ciphertexts which is at most negligibly different from theuniform distribution over all ciphertexts, regardless of the input plain-text. Clearly, information-theoretical security is very strong, because .3. Classical Cryptography regardless of the adversarial model . How-ever, being so strong, it is also limited in use, as very few cryptographicobjects can be shown to be statistically secure. • Computational security, on the other hand, aims at showing that a cryp-tographic object is secure by relying on the intrinsic computational lim-itations of a ‘reasonable’ adversary. For example, in a computationallysecure (but not statistically secure) encryption scheme, an adversarymight be able to break security by testing (‘brute-forcing’) all the pos-sible encryption keys one after one. However if such an adversary, in sodoing, takes an amount of time which exceeds by many orders of magni-tude the age of the universe, we would not consider him a threat for thesecurity of the cryptographic scheme. A commonly accepted definitionof ‘computationally bounded adversary’ is ‘polynomial-time bounded’(in the security parameter).In this work we only focus on computational security, but sometimes werefer to statistical security when needed for comparison. The adversary modelwe consider in classical security is thus some form of
PPT algorithm, possiblywith oracle access to additional resources.The ‘winning condition’ for a given adversary A is expressed in termsof the outcome of an experiment (or game ), which is a mathematical modeldescribing the intuitive behavior of an adversary trying to compromise thesecurity of a cryptographic scheme S . Formally, an experiment is an algorithm(taking as input the security parameter n and, optionally, other parameters)with oracle access to A and (the components of) S , and outputting somevalue (typically a bit) telling whether the experiment was successful (i.e., A won) or not. The notation used is of the form Game
LABEL S , A , where LABEL identifies the particular experiment. The advantage of an adversary A runningsuch experiment (denoted by Adv
LABEL S , A ) is the difference between A ’s successprobability, and the success probability of a ‘naif’ adversary who just guessesat random a possible solution to the problem of breaking S ’s security. Then,in order to define S secure, two possible approaches are considered:1. game-based security . In this case, it is required that the advantage of any (computationally bounded) adversary is ‘small’ (meaning, negligiblein the security parameter); or2. simulation-based security . In this case, the success probability of anarbitrary adversary A in the original experiment is compared to thesuccess probability of the same A in a different experiment, describing anidealized, or ‘simulated’ situation where there is basically no possibilitythat A can break the security of the underlying scheme. In this case,security requires that for any (computationally bounded) adversary, thedifference between the success probabilities in the ‘real’ and the ‘ideal’world are roughly the same (meaning, at most negligibly distinct).0 Chapter 2. Preliminaries
Both approaches are widely used in provable security. Usually, simulation-based security better captures the idea of transforming in a rigorous math-ematical model what intuitively we want a cryptographic object to achieve;game-based security, however, is often of more immediate formulation andsimpler use in security proofs. A common technique in provable security isin fact to show equivalence between an intuitive, rigorous simulation-basedsecurity definition, and a simpler, easier-to-use game-based one.Regarding security proofs , it must be noticed that such proofs are intu-itively very hard to come up with. In fact, it is in theory easy to show that aparticular, formally well-described adversary is unable to successfully attack acertain cryptographical scheme. However, the security proofs we need requireto rule out every possible adversary , even those which we do not know yet,or are unable to formalize. Therefore, directly showing security against oneadversary does not work, and different techniques are used instead.A very common technique to show the security of a cryptographic scheme S is the concept of reduction to another problem, or primitive P . Let usassume that P is hard to solve, or anyway widely believed to be hard. Thenone could ‘show’ the security of S by proving that the problem of breaking S ’s security is ‘at least as hard’ as solving P . This is accomplished by provingthat, given an hypothetical, successful adversary A against S , such adversarycan be turned, constructively and in an efficient way , into an efficient solverfor P . In this case we say that the security of S reduces to the hardness of P ,and the formal proof itself is called reduction . A typical example of reductionis giving an explicit description of an efficient algorithm B which solves P , andwhich has oracle access to A (in that case B is also said to be the reductionitself). We say that a reduction is ‘black-box’ if such oracle access is the only interaction between A and B , and B does not have any other clue about A ,such as insights about A ’s code or access to oracles which, according to thesecurity model, should be only accessible by A . However, as it is commonpractice in provable security, B is allowed to know a priori an upper bound on A ’s running time or number of queries to his oracles.Finally, another common topic in provable security are impossibility results ,that is, general theorems stating that a certain class of cryptographic objecthaving certain properties cannot be secure. The most direct way to do it isby providing an explicit attack, i.e., an efficient adversary working againstevery member of that class. However, this can be hard sometimes, and thereare countless examples of cryptographic schemes where a direct attack is notknown , but at the same time no reduction can be found .A possible technique to show impossibility results is that of meta-reductions .Intuitively, a meta-reduction is ‘a reduction on reductions’: the idea is to showthat, if a scheme S admits an efficient reduction B to some problem P , thenanother reduction M exists, which uses B to attack another, possibly differenthard problem P . This rules out the existence of B .In the case of meta-reductions, since B needs an efficient adversary A .3. Classical Cryptography P in order to work, and reductions must always be constructive andefficient , it should be M ’s duty to provide such adversary A for B to workwith. However, since M cannot break P directly (or else this would be acontradiction), the meta-reduction simulates a ‘fake’ adversary, in such a waythat the simulation cannot be used directly to break P , but at the same timesuch simulation is undetectable from B ’s perspective. So, a meta-reductiontechnique works like this:1. assume the existence of a reduction B from scheme S to problem P .2. Give an explicit description of any adversary A against S . This adver-sary does not necessarily need to exist, because B works regardless of A ’snature. In practice though, it is usually required that B is a black-boxreduction.3. Give an explicit description of an efficient algorithm M which can sim-ulate A (from B ’s point of view) and any other resource or oracle that B needs to access.4. Execute the reduction B , and use B ’s output to break P . Hardness Assumptions
Hardness assumptions relate to mathematical problems which are at the sametime easy to formalize (and it is clear what a solver for these problems shouldaccomplice), and such that to date no known general method for solving theseproblems has been found (and there is evidence that finding such a method isarguably very hard). These assumptions are important, because they identifyproblems which are very attractive reduce to during security proofs.Since we are dealing with computational security, a very minimal assump-tion is that P = NP . This is widely believed to be the case [AB09]; however,finding cryptographic reductions to such a minimal assumption is very hard.In this section, we recall some commonly used hardness assumptions used incryptography. In what follows, we assume w.l.o.g. that the message space is X = ( X n ) n := ( { , } n ) n .One very well studied assumption that we will explicitly use later in thiswork is the computational hardness of the discrete logarithm problem (DLP) . Definition 2.1 (Discrete Logarithm Problem) . For a security parameter n ,let ( G , ? ) be a cyclic group of order exponential in n , with generator g , andsuch that ? is efficiently computable. The discrete logarithm problem (DLP)on G is, given h $ ←− G , to find x ∈ N such that h = g x . The
DLP hardness assumption (for a given group ( G , ? )) states that no PPT algorithm exists, which is able to solve the DLP problem with proba-bility better than + c for any positive constant c (i.e., the DLP problem is2 Chapter 2. Preliminaries not in BPP for many known groups). There exist many different variants ofthe DLP problem, such as the decisional Diffie-Hellman (DDH) problem andmany others, see [Bon98] for a survey. There exist also many other number-theoretic hardness assumptions, both quantum-insecure (RSA [RSA78] andfactorization, elliptic-curve DLP [JMV01], etc.) and (presumably) quantum-resistant (lattice problems [GGH97], code-based [McE78], isogenies [FJP14],etc.) but we will not address them specifically in this workAnother very minimal hardness assumption that we make heavy use of isthe existence of one-way functions . Intuitively, these are (families of) functionsthat are ‘easy’ to evaluate on any input, but ‘hard’ to invert on a random out-put, meaning that no efficient algorithm can find a pre-image for a randomlygenerated image.
Definition 2.2 (One-Way Functions (OWF) and Permutations (OWP)) . Let F = ( F n ) n be a DPT algorithm, with F n : X n → { , } ∗ . F is a (family of) one-way functions (OWF) iff for any PPT algorithm A it holds: Pr x $ ←− X (cid:2) A ( F ( x )) → x : F ( x ) = F ( x ) (cid:3) ≤ negl . Moreover, in the special case where F n : X n → X n are permutations on X n forevery n , F is a (family of) one-way permutations (OWP) . The existence of one-way functions would imply P = NP , but the converseis not believed to hold [AB09]. However, one-way functions are consideredto be a very minimal assumption for the existence of computationally securecryptography. In general, reducing the security of a cryptographic object tothe existence of one-way functions is a strong indicator of the scheme’s security.Notice the following: Definition 2.2 does not say anything about individualmembers of the family being pseudorandom. For example, there might beone-way functions which always fixes certain bits of their output, which canhence be trivially inverted. However, these ‘easily predictable’ bits cannotbe ‘too many’, otherwise an adversary A could invert the whole functionby guessing the other bits, against the assumption of one-wayness. Those(Boolean functions of) bits which are not easily predictable are called hard-core bits (or hard-core predicates ). Definition 2.3 (Hard-Core Predicate) . Let F : X → Y be a OWF. Apolynomial-time computable function hc F : X → { , } is a hard-core predi-cate (or bit) of F iff, for any PPT algorithm A it holds: Pr x $ ←− X [ A ( F ( x )) → hc F ( x )] ≤
12 + negl . Whether every
OWF admits hard-core predicates or not is an open prob-lem [KL07]. But it can be shown that, given any OWF F , it is always possibleto construct another OWF H such that hc H exists. Moreover, if F is a OWP,then also H is. .3. Classical Cryptography Proposition 2.4 ([HILL99]) . Let F be a OWF (resp., OWP). Then it ispossible to efficiently transform F into a OWF (resp., OWP) H such that atleast one hard-core predicate hc H exists. Given the above, from now on we assume for simplicity that every OWFadmits hard-core predicates. In the case that F : X → X (in particular, if F isa OWP), the construction of hard-core bits can be iterated to hc H , hc H , . . . . Proposition 2.5 ([HILL99]) . Let F : X → X be a OWF (resp., OWP) withhard-core predicate hc F . Then F is a OWF (resp., OWP) with hard-corepredicate hc F . Another very important cryptographic assumption is the existence of one-way trapdoor permutations (OWTP) . A OWTP is a (family of) permutationswhich are easy to evaluate but hard to invert, unless an extra piece of secretinformation is known (the trapdoor ) which is specific to a certain permutation.For our scope, it is convenient to express a family of OWTPs as indexedthrough an index family , which is efficiently sampleable together with therelated trapdoor. We will denote by I := ( I n ) n and T := ( T n ) n the indexand trapdoor spaces, respectively. W.l.o.g., we assume I n ⊆ { , } (cid:100) ( n ) , and T n ⊆ { , } (cid:116) ( n ) for security parameter n ∈ N , where (cid:100) and (cid:116) are polynomialfunctions determined by the OWTP family. Definition 2.6 (One-Way Trapdoor Permutation Family (OWTP)) . A (fam-ily of) one-way trapdoor permutations (OWTP) is a tuple of
PPT algorithms P := ( Gen , Eval , Invert ) :1. Gen : → I × T ;2. Eval : I × X → X ;3.
Invert : I × T × X → X ∪ {⊥} ,and such that:1. for any
PPT algorithm A it holds: Pr x $ ←− X ( i,t ) ← Gen [ A ( i, Eval ( i, x )) → x ] ≤ negl ; and2. Invert ( i, t, y ) = Eval ( i, x ) , ∀ x ∈ X , ∀ ( i, t ) ← Gen , ∀ y ← Eval ( i, x ) . The existence of OWTP is an assumption, like in the case of OWF. It isa stronger assumption, because the existence of OWTP in particular impliesthe existence of OWF, but the converse is not believed to hold.4
Chapter 2. Preliminaries
Proposition 2.7 (OWTP = ⇒ OWP = ⇒ OWF) . Let P := ( Gen , Eval , Invert ) be a OWTP on X . Then, for all but a negligible fraction of possible sequences ( i n , t n ) n ← Gen ( n ) ⇒ Eval ( i n , . ) is a OWP (and thus a OWF) on X = ( X n ) n . Candidates OWTP can be constructed from some hard problems such asfactorization, DLP, and many others. As an example, it is well known thatif factoring large integers is hard, then one can build OWTP using, e.g., the
RSA cryptosystem [RSA78] . Theorem 2.8 (RSA = ⇒ OWTP) . If factorization of large integers is com-putationally hard, then OWTPs exist.
The Random Oracle Model
In this section we briefly recall the random oracle model (ROM) methodology.The subject is quite involved and here we do not discuss it in detail, see [Bel98]for an overview. A random oracle (RO) is an abstract mathematical modelrepresenting an idealized version of a publicly accessible source of randomness.In practice, a RO is used in security proofs to replace pseudorandom objects,such as hash functions, which would be otherwise too difficult to analyze.The idea is that such objects approximate very well the mathematical modeldescribed by the random oracle, so that a security proof given in the ROMis ‘almost as good’ as a security proof given for the real-world implementa-tion. However, it is important to keep in mind that there are cases of
ROMuninstantiability [CGH98, BFM15]. That is, there exist (artificial) examplesof cryptographic schemes which are provably secure in the ROM, but whichbecome insecure whenever the random oracle is replaced by any hash function.Formally, a random oracle from a bit string set X to a bit string set Y is a function O : X → Y drawn uniformly at random from the set Y X .The description of O is not explicitly given; instead, O can only be queriedin a black-box way. At the beginning of the security analysis, the oracle is initialized by drawing a function uniformly at random from the set Y X . Thefunction so chosen remains unknown to all the parties involved in the protocol,but all those parties gain oracle access to it.It is important to notice that, with high probability, a randomly chosenfunction from X to Y does not have a compact representation, so that themere act of selecting a random function in Y X is not algorithmically defined.Because the security proofs we are interested in must be constructive andefficient, different approaches should be taken when constructing a randomoracle. One possibility is lazy sampling : because the value distribution of acompletely random function on a certain point x is independent from the valuethe function takes on any other point, then the following procedure definesa random function, by adaptively filling a lookup table of values as soon asthey are queried for the first time. In terms of pseudocode, a lazy samplingprocedure would look as follows: .4. Quantum Computation set LookupTable = ∅ for all query received on element x do if ( x, y ) ∈ LookupTable for some element y then Return: y else sample y $ ←− Y set LookupTable := LookupTable ∪ { ( x, y ) } Return: y Another possible method is to instantiate the RO with an efficiently com-putable pseudorandom function family , which will be described in Section 3.1.Finally, it is important to mention that a RO can be reprogrammed , that is,the underlying function can be changed ‘on the fly’ during the security proof.The intuition for this is that, since the RO replaces a hash function, the proofshould still hold if we use a certain hash function instead of another one, aslong as it does not have exploitable ‘structures’ which are not supposed to befound (with high probability) on a completely random function.
In this section we recall the basic concepts of quantum information theory andquantum computation. We only give here a brief overview, and refer to [NC00]for a more detailed exposition.
Quantum Mechanics
In quantum mechanics, an isolated physical system (which we denote usuallyby an uppercase letter, e.g., A ) is represented by a complex Hilbert space,denoted by H A (or just H when the physical system is implied), of dimensionsuitable to represent all the independent possible physical states of A . Usingthe bra-ket notation , a completely defined state ϕ of the system (also calleda pure state ) is represented by (a class of) unitary vectors denoted by | ϕ i . Aset of orthonormal generators for H is a basis for H ; a computational basis for H is a conventionally defined basis where elements are labeled as bit strings(or integers) {| x i : x = 1 , . . . , d } , where d := dim H . Every pure state | ϕ i canthus be written as: | ϕ i = X x a x | x i , with P x | a x | = 1. The complex coefficients a x are the amplitudes of | x i , andwe say that | ϕ i is a quantum superposition of states | x i . Sometimes, if X isa set, we use the notation H X to denote a complex Hilbert space for somephysical system such that the computational basis for that space is labeledwith elements of X . That is, H X is the space generated by {| x i : x ∈ X } . For6 Chapter 2. Preliminaries two pure quantum states | ϕ i = P x a x | x i and | ψ i = P x b x | x i in superpositionin the basis states | x i , the Euclidean distance is given by (cid:0) P x | a x − b x | (cid:1) .We denote by h ψ | the dual of a state | ψ i , i.e., h ψ | := | ψ i † . By Riesz’sRepresentation Theorem, for every linear functional (cid:97) : H → C there exists aunique | α i such that (cid:97) ( | ϕ i ) = h α | ϕ i , ∀ ϕ ∈ H . Notice that, since pure statesare represented by classes of unitary vectors, then | h ψ | ϕ i | ∈ [0 , | h ψ | ϕ i | = 1 iff | ϕ i = | ψ i , and | h ψ | ϕ i | = 0 iff | ψ i and | ϕ i are orthogonal. Inparticular, h x i | x j i = 0 ∀ i = j .According to the laws of quantum mechanics, two different types of phys-ically valid transformations can be applied to pure states: • reversible transformations, or evolutions , which are modeled by unitaryoperators of the form U : H → H ; and • measurements , which allow an observer to extract information from thephysical system.In this work, for pure states we only consider measurement in the computa-tional basis , which works in the following way: let | ϕ i = P x a x | x i . Then,measuring such state yields a single real-valued outcome x with probability | a x | , and after such measurement the state collapses to the basis state | x i .The composition (joint system) of two physical systems A and B is repre-sented by the tensor product of the respective Hilbert spaces, H AB := H A ⊗ H B .So, for example, if {| x i} x ∈X is a basis for H A and {| y i} y ∈Y is a basis for H B (for two sets X and Y ), then {| x i ⊗ | y i} ( x,y ) ∈X ×Y is a basis for H AB = H X ×Y .We write equivalently | x i ⊗ | y i = | x i | y i = | x, y i .Two fundamental theorems in quantum information theory, which we onlymention here informally, are the following. Theorem 2.9 (No-Cloning Theorem) . There does not exist any valid physicalprocess which, given as input an arbitrary state | ϕ i , produces the state | ϕ i⊗| ϕ i . Theorem 2.10 (No-Signaling Theorem) . There does not exist any valid phys-ical process which allows two parties to transmit information faster-than-light,even though these parties are allowed to perform instantaneous physical actionon remote and possibly entangled quantum systems.
Entanglement
Notice that not all states of H AB are of the form | ϕ i ⊗ | ψ i for some | ϕ i ∈ H A and | ψ i ∈ H B - actually, very few of them are. For example, for 2-dimensionalHilbert spaces H A and H B , the following state: | ρ i AB = r | i + r | i (2.1) .4. Quantum Computation A alone (which we denote by | ρ i A ) we find that it is impossible to write thisstate as a superposition of | x i elements, and the same applies to | ρ i B . Whenthis happens we say that | ρ i A and | ρ i B are entangled states, otherwise we saythat | ρ i AB is separable . It turns out that, in a composite system, the vastmajority of possible quantum states are entangled, and only a small subclassof them are separable. Entangled states cannot be pure states, so a differentformalism is required to express them.The density matrix formalism is used to represent all those states (includ-ing entangled states) which cannot be represented as pure states. We callsuch states mixed states , and we drop the bra-ket notation to represent them,in order to highlight the fact that they are not vectors, but matrices. Mixedstates can be represented as probability distributions over sets of pure states.If a mixed state ρ is defined as a distribution over elements | ϕ i i , each of themoccurring with probability p i , then we define: ρ := X i p i | ϕ i ih ϕ i | . We call the resulting matrix representation of ρ the density matrix (or densityoperator) representation of ρ . Formally, density matrices are operators ρ : H → H such that:1. (trace condition) tr( ρ ) = 12. (positivity condition) h ϕ | ρ | ϕ i ≥ ∀ ϕ ∈ H .As a consequence, every density operators has diagonal elements in [0 , A (that is, the setof all positive, unitary-trace linear operators on H A ) as D ( H A ).All the formalism defined for pure states can be reformulated in terms ofmixed states, because mixed states describe a statistics on pure states. If | ϕ i is a pure state, its density matrix is defined just as | ϕ ih ϕ | . If ρ ∈ D ( H A )and σ ∈ D ( H B ), then ρ ⊗ σ ∈ D ( H AB ) is the state of the joint system. Aunitary evolution U applied to a mixed state ρ produces another mixed state U ρU † . Measuring a state ρ in the computational basis yields outcome x i withprobability p i , where p i is the i -th diagonal element of ρ ; in this case, thesystem is left in the state | x ih x | .If we have two (or more) physical systems A, B , and they are jointly in thestate ρ AB , then the state describing the system A (resp., B ) alone is denotedby ρ A (resp, ρ B ), which has density operator: ρ A := tr B ( ρ AB ) , where tr B is the partial trace over B , defined by:tr B ( | x ih x | A ⊗ | y ih y | B ) := | x ih x | A · tr( | y ih y | B ) . Chapter 2. Preliminaries
The act of taking a state in a joint system and considering only the statein one of its subsystems, ‘forgetting’ about the rest of the system is called tracing out (or, reducing) to a certain subsystem. W.l.o.g this can be seen as:first measuring the state in the computational basis only on the subsystemto be ‘forgotten’ (thereby collapsing part of the state and hence obtaining aseparable state between the two systems), and then discarding the collapsedstate and only consider the state of the subsystem left.Any physically allowable process in nature, according to quantum mechan-ics, has to obey the constraints that density operators must be mapped toother density operators. That is, the mathematical transformation describinga physical process must preserve the unitarity of the trace, and the positiv-ity of the operators. We call such ‘admissible transformations’
CPTP maps (completely positive, trace-preserving maps), or quantum channels . Quantum Circuits
The most widely used model for quantum computation is that of quantumcircuits . A quantum circuit is the analogue of a Boolean circuit, with a fewdifferences. For the purpose of this work, we consider the following: • instead of acting on register of bits, a quantum circuits operates on quantum registers , which are physical systems composed of subsystems(called qubits ) described by 2-dimensional complex Hilbert spaces. • Instead of being composed of Boolean gates, quantum circuits are com-posed of elementary quantum gates , which are either measurement op-erators, or transformations on (some subsets of) qubits, described byunitary operators.A quantum circuit takes as input a quantum register in a certain state andproduces a quantum output, but we can always consider additional classicalinputs and outputs (which can be ‘embedded’ into quantum registers as ba-sis states). The outcome of the quantum computation, however, is usuallyrecovered through a measurement. It turns out that, w.l.o.g., measurementsduring a quantum computation can always be postponed to the very end ofthe quantum circuit, without changing the distribution of outcomes.The number of input and output qubits of a quantum circuit can be dif-ferent from each other. In fact, even if unitary operators act on the samesubspace, a quantum circuit can have additional constant, ‘hidden input reg-isters’ (called ancilla qubits , usually initialized to | i ), and can ‘delete’ or‘forget’ some register (by tracing them out). However, any CPTP map can bemodeled as a quantum circuit.For the purpose of this work, we only consider measurement operators inthe computational basis. If we have a single qubit in a state | ϕ i and we apply .4. Quantum Computation Figure 2.1: Quantum measurement gate.Figure 2.2: Single-qubit unitary gate. a measurement on that qubit in order to obtain a single bit as outcome, wedenote this as in Figure 2.1 (the double line denotes a classical output).If U is a single-qubit unitary acting on the i -th qubit of an n -qubit system,it is denoted by U i as shown in Figure 2.2.The most basic single-qubit gate is the identity I : I := ! . A very important single-qubit gate is the
Hadamard gate , denoted by H , anddefined by the unitary matrix: H := 1 √ − ! . Other useful single-qubit operators are the
Pauli matrices
X, Y, Z defined by: X := ! Y := − ii 0 ! Z := − ! Notice how the Pauli matrices are also Hermitian. Moreover they satisfy: XZ = i Y . We define the Pauli group on qubit P as the matrix multiplicativesubgroup generated by { i I , X, Y, Z } . This extends to the Pauli group on n qubits P n as the subgroup generated by { i I i , X i , Y i , Z i : i = 1 , . . . , n } .Finally, two very important 2-qubit gates are the controlled-NOT (CNOT) and the SWAP gates:
CNOT := SWAP := A quantum algorithm is a uniform family of quantum circuits, i.e., there ex-ists a (classical) Turing machine which, given the security parameter expressed0 Chapter 2. Preliminaries
Figure 2.3: CNOT gate.Figure 2.4: SWAP gate. in unary 1 n as input, runs in time at most polynomial in n , and outputs a(classical) description of the n -th member of the quantum circuit family. QPT stands for ‘quantum polynomial time’, so a
QPT algorithm is a uniform familyof quantum circuits of size polynomial in the security parameter.As quantum algorithms are probabilistic by nature, there is no quantumanalogue of the classical complexity security class P . However, there is ananalogue for BPP : the complexity
BQP is the set of all languages L for whichthere exists a QPT algorithm M and a positive constant c such that:1. ∀ x ∈ L = ⇒ Pr[ M ( x ) → ≥ + c ; and2. ∀ x / ∈ L = ⇒ Pr[ M ( x ) → ≥ + c .Informally, BQP is the set of all problems which are ‘easy to solve with highprobability’ on a quantum computer.‘Famous’ quantum algorithms include Shor’s algorithm [Sho94] for factor-ing integers and solving DLP in polynomial time, Simon’s algorithm [Sim97]for recognizing in polynomial time black-box functions of a certain form, andGrover’s algorithm [Gro96] for polynomially speeding up search on unsorteddatabases, inversion of functions, and general brute-force attacks.
Quantum Oracles
As in the classical case, the computational capabilities of a quantum algorithm A can be expanded by giving to the algorithm access to an oracle O , which wedenote by A O . The oracle can be classical (with the same meaning as in theclassical case), or it can be quantum. In the latter case, we have to distinguishbetween: • (standard) quantum oracle access . In this case the oracle is a unitaryoperation U which A can query on a quantum state ρ at unit time costin order to receive the response state U ρU † . Whenever not specified, by‘oracle access’ we always mean the standard one. .4. Quantum Computation • Quantum gate access . In this case the oracle is also a unitary oper-ator, like in the standard oracle access, the only difference is that A automatically gains access to the inverse operator U † as well. • Quantum circuit access.
In this case the oracle is not necessarily uni-tary, but an arbitrary CPTP map. This means that the oracle could,e.g., perform measurements, or tracing out qubits, or act on additionalquantum registers outside of A ’s control.We use the following technical tool in the proof of Theorem 4.39. Let A be a quantum algorithm performing quantum queries to an oracle O , and let (cid:113) x ( | ϕ j i ) be the magnitude squared of basis element x in the j -th query, whichwe call the query probability of x in query j . If we sum over all queries, weget an upper bound on the total query probability of x . Lemma 2.11 ([BBBV97, Theorem 3.3]) . Let A be a quantum algorithm run-ning in time t with quantum oracle access to O : X → Y . Let ε > and let S ⊆ { , . . . , t }×X be a set of time-string pairs such that P ( j,x ) ∈ S (cid:113) x ( | ϕ j i ) ≤ ε .If we modify O into an oracle O which answers each query x at time j byproviding the same string ¯ x (which has been sampled independently from O )whenever ( j, x ) ∈ S , then the Euclidean distance between the final states of A when invoking O and O is at most √ tε . Distinguishing Quantum States
A crucial problem in quantum information theory is distinguishing quantumstates . Because quantum states form a continuum, and because the only waywe have to extract information from them is by performing measurements,distinguishing different quantum states with certainty is not always possible.In fact, for any practical purpose two quantum states are ‘the same state’if there is no physically admissible process extracting measurement outcomeswith different distributions from those states . In other words, it is only possibleto distinguish different quantum states if we can perform operations on themleading to measurement outcome distributions which are themselves distin-guishable. Because in this work we only deal with computationally boundedprocesses, it is clear that the minimal requirement for two states to be distin-guishable is that they are (or can be efficiently transformed to) states whichyield computationally distinguishable outcome distributions when measured.The following lemma from [BV97] upperbounds the statistical distancebetween the distributions of measurements on two quantum states in terms oftheir Euclidean distance.
Lemma 2.12 ([BV97, Lemma 3.6]) . Let | ϕ i , | ψ i be pure quantum states withEuclidean distance at most ε . Then, performing the same measurement on | ϕ i , | ψ i yields distributions with statistical distance at most ε . Chapter 2. Preliminaries
For mixed states on isolated systems, the trace distance is a useful math-ematical tool which gives directly an upper bound on the probability of dis-tinguishing two states for any physical process . Definition 2.13 (Trace Distance) . Let ρ, σ ∈ D ( H ) . The trace distance between ρ and σ is defined by: k ρ − σ k tr := 12 X i | λ i | , where λ i are the eigenvalues of ρ − σ . We call the totally, or maximally mixed (or entangled) state over a physicalsystem A the mixed state τ A := I dim H A ; it has the property that a measurementover any possible orthonormal basis on this state always yields the uniformdistribution of possible outcomes. This state represents somehow ‘a state ofmaximal uncertainty’, and a common technique to show that no informationcan be extracted from a quantum state is to show that such state has ‘low’trace distance from the maximally mixed state.However, when trying to distinguish between two CPTP maps, or twopossible states on a non-isolated system , the trace distance is not enough.The reason is that, because of entanglement, two states which are different ona joint system AB might yield the same reduced state on a subsystem A . Inthat case, the trace distance on A would be 0, but a distinguisher with accessto B might still be able to tell them apart. In these cases, the diamond norm is used, which induces a distance between CPTP maps. Definition 2.14 (Diamond Norm) . If Φ is a CPTP map (quantum channel)from operator spaces D ( H A ) to D ( H B ) , then its diamond norm is defined by: k Φ k (cid:5) := sup ρ ∈ D ( H AK ) k (Φ ⊗ I K ) ( ρ ) k tr , where H K is any Hilbert space such that dim H K ≥ dim H A . It can be shown that an upper bound to the probability of distinguishingtwo quantum channels Φ and Ψ is given by k Φ − Ψ k (cid:5) . hapter QS
0: Classical Security
The first class of cryptographic security notions that we are going to analyzeencompasses the weakest notions in the quantum world. Namely: no quantumat all. In our new labeling system, the security class QS no mention of quantum informationtheory. That is, QS My Scientific Contribution in this Chapter
Most of the material in this chapter can be found in the existing literature(see for example [KL07, Gol01, Gol04], and is part of the preliminary techni-cal results needed to understand the challenges arising when modeling securityscenarios in a quantum world. However, to the best my knowledge, the proofof Theorem 3.32 has never been made explicit before. In fact, separation ex-amples between CPA and CCA scenarios in the scientific literature usuallyrefer either to the public-key scenario (where one can exploit group homomor-phic properties) or to the separation between CPA and CCA2. Moreover, allthe material from Section 3.6 first appeared in [GKK17], which is a joint workwith Nikolaos P. Karvelas and Stefan Katzenbeisser.334
Chapter 3. QS
0: Classical Security
We start our analysis of classical cryptographic primitives by recalling somebasic building blocks which we will use throughout the rest of this work. Inwhat follows, X and Y are (sub)sets of binary strings. W.l.o.g., we assumethat X = ( X n ) n := ( { , } n ) n . The key space K instead, is identified with( K n ) n ⊆ { , } (cid:115) ( n ) for security parameter n ∈ N , where (cid:115) is a polynomialfunction determined by the scheme considered. W.l.o.g. we assume that, forsecurity parameter n , keys are of bit size n . Pseudorandom Number Generators A pseudorandom number generator (PRNG) is a DPT stateful algorithm whichoutputs bit strings with a distribution computationally indistinguishable fromthe uniform distribution over some set. There is no secret key involved, but asecret internal state of the algorithm determines the value to be output next.As the algorithm is deterministic, the same internal state produces the sameoutput value, so the state must be updated after every execution, according toa procedure specified by the algorithm itself. The initial value of the PRNG’sstate is called the seed .Formally, we give a slightly different definition.
Definition 3.1 (Pseudorandom Number Generator (PRNG)) . Let (cid:112) be apolynomial such that (cid:112) ( n ) ≥ n +1 , ∀ n ∈ N . A pseudorandom number generator(PRNG) with expansion factor (cid:112) is a DPT algorithm G such that:1. given as input a bit string s ∈ { , } n , (the seed ), outputs a bit string G ( s ) ∈ { , } (cid:112) ( n ) ; and2. for any PPT algorithm D : | Pr [ D ( r ) → − Pr [ D ( G ( s )) → | ≤ negl , where r $ ←− { , } (cid:112) ( n ) , s $ ←− { , } n , and the probabilities are taken overthe choice of r and s , and the randomness of D . However, it is possible to show that with the above definition one canactually also define a procedure to output a stream of polynomially manyvalues of bit size polynomial in n . The idea is to define a bit stream, wheresome of the (cid:112) ( n ) output bits are used to form the stream, and the others areused to generate a new, updated seed for the G . Therefore, one usually speaksof PRNG with n -bit output . Analogously, it is easy to see that bits truncatedby G ’s output are also pseudorandom.Moreover, it is possible to prove that the condition of indistinguishabilityfrom random is equivalent to the condition of non-predictability , that is, no PPT algorithm can reliably guess the next bit output by G , even by observing .1. Building Blocks F , one can define a PRNG which outputs ahard-core bit of F , computed on the seed. This construction can be iteratedproducing a PRNG which we denote by G F , and which outputs polynomiallymany hard-core bits of F , F , F , . . . . Construction 3.2 (Goldreich-Levin PRNG [GL89]) . Let F : X → Y be aOWF with hard-core predicate hc F . Define a stateful DPT algorithm G F : X → X which, given as input an n -bit seed x ∈ X , outputs the n -bit string: hc F ( x ) k hc F ( x ) k . . . k hc F n ( x ) . We call G F the Goldreich-Levin construction for OWF F . Theorem 3.3 ([GL89]) . Construction 3.2 is a PRNG.
It must be noticed that the proof for the above theorem does not makeany assumption on the adversary in terms of queries to the OWF. This factwill be important in the next chapter. It follows from Proposition 2.4 that aPRNG can be constructed by any OWF.
Corollary 3.4 (OWF ⇔ PRNG) . OWFs exist iff PRNGs exist.
Pseudorandom Functions
A (family of) pseudorandom functions (PRF) from X to Y with key space K is a family of efficiently computable functions F : K × X → Y which,without knowledge of the secret key k ∈ K indexing the particular memberof the family, is computationally indistinguishable from the collection of allfunctions from X to Y (denoted by Y X ). We identify F as a DPT algorithmcomputing F for a specific security parameter n . As a shorthand notation, wewrite F k : X → Y meaning the member of the family indexed by k ∈ K . Definition 3.5 (Pseudorandom Function (PRF)) . A (family of) pseudoran-dom functions (PRF) from X to Y with key space K is a DPT algorithm F : ( k ∈ K n , x ∈ X n ) y ∈ Y n such that for any PPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D F k → i − Pr (cid:104) $ ←− Y X h D O (cid:104) → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where O (cid:104) is an oracle computing (cid:104) (i.e., a random oracle), and the probabilitiesare over the choice of k and (cid:104) , and the randomness of D . Chapter 3. QS
0: Classical Security
In security reductions, PRFs are usually modeled as random oracles. How-ever, unlike PRNGs, their security depends on the secrecy of the key used,because any party with knowledge of such key can trivially distinguish thePRF from a completely random function.PRFs, being indistinguishable from random functions, can be used asPRNGs (for a vast majority of the possible keys).
Theorem 3.6 (PRF = ⇒ PRNG) . If a PRFs exist, then PRNGs exist.
Still, one can show that PRFs can be built by using PRNGs, and thereforetheir existence is equivalent to the existence of OWFs.
Theorem 3.7 ([GGM84]) . If a PRNGs exist, then PRFs exist.
However, unlike in the case of Theorem 3.3, the proof does make assump-tions on the query capabilities of the adversary.
Corollary 3.8.
OWF exist iff PRF exist.
Pseudorandom Permutations
Pseudorandom permutations (PRP) are just PRFs which also happen to be(invertible) permutations on some space X , for any choice of key. That is, aPRP P is a family of permutations (and their inverses) which is computation-ally indistinguishable from the family S ( X ) of all the permutations on X . Asin the PRF case, we identify a PRP P with the DPT algorithm evaluating it,and as a shorthand notation, we write P k : X → X meaning the member ofthe (circuit or function) family indexed by k ∈ K .We start by defining a weak PRP, that is, indistinguishable from randomto any adversary who does not have oracle access to the inverse permutation.
Definition 3.9 (Weak Pseudorandom Permutation (WPRP)) . A (family of) weak pseudorandom permutations (WPRP) on X with key space K is a pairof DPT algorithm ( P , P − ) : ( k ∈ K , x ∈ X ) x ∈ X such that:1. ∀ k ∈ K = ⇒ P k , P − k are permutations on X ;2. ∀ k ∈ K = ⇒ ( P k ) − = P − k ; and3. for any PPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D P k → i − Pr (cid:112) $ ←− S ( X ) h D O (cid:112) → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where O (cid:112) is an oracle for (cid:112) , and the probabilities are over the choice of k and (cid:112) , and the randomness of D . .2. Secret-Key Encryption Schemes DPT algorithm P − computing the inverse permutation. A PRP is called strong if it maintainspseudorandomness also in this setting. Definition 3.10 (Strong Pseudorandom Permutation (SPRP)) . A (familyof) strong pseudorandom permutations (SPRP) on X with key space K is apair of DPT algorithms ( P , P − ) : ( k ∈ K , x ∈ X ) x ∈ X such that:1. ∀ k ∈ K = ⇒ P k , P − k are permutations on X ;2. ∀ k ∈ K = ⇒ ( P k ) − = P − k ; and3. for any PPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D P k , P − k → i − Pr (cid:112) $ ←− S ( X ) h D O (cid:112) , O (cid:112) − → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where O (cid:112) is an oracle for (cid:112) , O (cid:112) − is an oracle for (cid:112) − , and the proba-bilities are over the choice of k and (cid:112) , and the randomness of D . When left unspecified, by ‘PRP’ we mean the strong version. A PRPis clearly also a PRF, but not necessarily the other way around. However,there exist constructions of PRPs from PRFs, such as the
Feistel construction.Therefore, the existence of PRPs is also equivalent to the existence of OWFs.
Theorem 3.11 (PRF ⇔ PRP) . PRFs exist iff PRPs exist.
A very fundamental object in cryptography is secret-key (or, symmetric-key)encryption schemes (SKES) . In what follows, X and Y represent the plaintextand ciphertext message spaces respectively, while K is the key space . Definition 3.12 (Secret-Key Encryption Scheme (SKES)) . A secret-key en-cryption scheme (SKES) with plaintext space X , ciphertext space Y , and keyspace K is a tuple of PPT algorithms E := E K , X , Y := ( KGen , Enc , Dec ) :1. KGen : → K ;2. Enc : K × X → Y ;3.
Dec : K × Y → X ∪ {⊥} ;such that ∀ n ∈ N , x ∈ X , k ← KGen = ⇒ Dec ( k, Enc ( k, x )) = x . Notice the following:8
Chapter 3. QS
0: Classical Security • KGen only gets as input a security parameter, but
Enc , Dec also needas input the correct security parameter related to the second input (thesecret key) they receive. In order to lighten notation and w.l.o.g. wejust assume that n is also appended to every k ← KGen , so that everykey also implicitly contains the security parameter. • Strictly speaking, it is not necessary to define ⊥ as a possible output for Dec . However, this is useful when defining schemes which can also reject certain ciphertexts (such as
CCA2 secure encryption schemes ). • As a shorthand notation, we will write
Enc k meaning the Enc algorithmwith k ∈ K fixed as a first input; analogously for Dec k . • KGen is always assumed to be a nondeterministic algorithm, otherwisethe encryption scheme would be trivial. • Enc can be a probabilistic algorithm, so it is certainly possible thattwo different executions of
Enc k ( x ) for fixed k and x yield two differentciphertexts. However, those ciphertexts would still decrypt to the same x through Dec k . • As an immediate consequence of the previous point, it is clear that, fora given k ∈ K , the image sets of different plaintexts are disjoint. Thatis: x = x = ⇒ Supp (
Enc k ( x )) ∩ Supp (
Enc k ( x )) = ∅ . • The behavior of
Dec k is unspecified (and dependent on the SKES consid-ered) if given as input an element of Y which is not a valid encryption,i.e., of the form Enc k ( x ) for some x ∈ X . • If Enc k is nondeterministic for all k ∈ K , then we say that E is random-ized , otherwise we say that E is deterministic .Finally, notice that Definition 3.12 does not say anything about the security of a SKES. We will study this aspect in the next section. In particular,for a SKES to be considered ‘secure’, the size of Supp ( KGen ( n )) must besuperpolynomial in n . One of the most basic examples of SKES is the wellknown one-time pad (OTP) . Construction 3.13 (One-Time Pad (OTP)) . Let X = K = Y = { , } n .Define the one-time pad (OTP) on n bits E = E K , X , Y := ( KGen , Enc , Dec ) asthe SKES with key space K , plaintext space X , and ciphertext space Y , definedas follows:1. KGen → k , with k $ ←− K ;2. Enc k ( x ) := x ⊕ k ;3. Dec k ( y ) := y ⊕ k . .2. Secret-Key Encryption Schemes information-theoretically secure ,as long as the key is completely random and only used once. Semantic Security
In order to analyze the security of a SKES, we first have to define what itmeans for a SKES to be ‘secure’. That is, we have to define a ‘meaning’, i.e.,a semantics of the term ‘security’. Intuitively, we want to formalize the factthat no reasonable adversary should be able, given a ciphertext, to find outany ‘interesting’ information about the underlying plaintext. There are threeaspects to consider here.First of all, we should define what a ‘reasonable’ adversary is. In our casewe will consider computationally bounded adversaries, that is, adversariesas
PPT algorithms, because we consider computational security. However,adversaries could be given additional power in the form of oracles. We willsee a few examples in the next sections, while in this part we will start withthe basic scenario (without oracles).Secondly, we should define what constitutes ‘interesting information’ aboutthe underlying plaintext. We do not consider ‘interesting’ all that informationwhich is already publicly available, leaked, or manifest. For example, thelength (bit size) of the plaintext is usually identifiable by only looking at thelength of the ciphertext. Moreover, if some information about the plaintextis known a priori, e.g.: ‘the message starts with a vowel’, we do not consideran adversary succesful if he is only able to tell that the message starts witha vowel, because that fact is already known. We want security to protect theencryption scheme only against those adversaries who can extract ‘interesting’information from the ciphertexts.Finally, we should define the ‘winning conditions’ for our adversaries, sothat we can define our schemes ‘secure’ if they prevent the adversaries fromreaching those conditions. In theory, we could define a scheme to be ‘secure’ ifevery adversary fails consistently in his goals, regardless of the choice of keysand plaintexts he intends to attack. However, this is not reasonable to expect,for three reasons: • the choice of some particular key might influence the adversary’s winningprobability. For example, what if the message is encrypted with a keythat the adversary happens to know as well? • The choice of the plaintexts is important as well. On one hand, we needthe scheme to be secure even in the worst case scenario (that is, the bestcase scenario from the adversary’s perspective.) On the other hand wecannot leave arbitrary freedom to the adversary in choosing the underly-ing plaintext - otherwise he could just break the encryption of a messagehe already knows, but that would not be ‘interesting’ information.0
Chapter 3. QS
0: Classical Security • The adversary might just get lucky. For example, when trying to decrypta single bit of the message, he might just guess randomly, and still besuccesful 50% of the times.In literature, semantic security is the well-established golden standardin defining the security of an encryption scheme. Semantic security is asimulation-based security notion, where the success probability of an adver-sary trying to guess meaningful information about a ciphertext is comparedto that of a simulator , which has the same goal as the adversary but is notallowed to see the ciphertext at all. The probability is taken over the internalrandomness of the algorithms (and, hence, over all the keys), and ‘interesting’and ‘non-interesting’ information is defined in terms of a target function (cid:102) and an auxiliary information function (cid:104) , respectively (these are functions ofthe possible plaintexts.) The goal of the adversary/simulator is to guess (cid:102) ( x )when having access to (cid:104) ( x ), for a certain plaintext x drawn from a chosen dis-tribution. The scheme is considered secure if the adversary and the simulatorhave roughly the same probability of guessing (cid:102) ( x ).There are many, different but equivalent ways to define semantic securityfor SKES. In this work, we follow the approach from [Gol04]. Definition 3.14 (SEM Adversary, SEM Simulator) . Let E := E K , X , Y be aSKES, and (cid:102) , (cid:104) : { , } ∗ → { , } ∗ two functions efficiently computable andpolynomially bounded in the input bit size. A SEM adversary A for E is a PPT algorithm A : Y ×
Supp ( (cid:104) ) → Supp ( (cid:102) ) . A SEM simulator S for E is a PPT algorithm S : Supp ( (cid:104) ) → Supp ( (cid:102) ) . Notice that, w.l.o.g., we can assume that (cid:104) ( x ) always includes the bit sizeof the plaintext x . We assume that (cid:104) and (cid:102) are efficiently computable, butactually, as shown in [Gol04], this is redundant. Experiment 3.15 ( Game
SEM E , A ) . Let E be a SKES, and A a SEM adversary.The SEM experiment proceeds as follows: Input: n ∈ N , (cid:102) , (cid:104) : { , } ∗ → { , } ∗ efficiently computable and poly-nomially bounded in the input bit size, M := ( M n ) n , where M n areprobability distributions over X n with |M n | = poly ( n ) k ← KGen m ← M n c ← Enc k ( m ) . this is called ‘SEM challenge query’ f ← A ( c, (cid:104) ( m )) if f = (cid:102) ( m ) then Output: else Output: .2. Secret-Key Encryption Schemes Experiment 3.16 ( Game
SEM ∗E , S ) . Let E be a SKES, and S a SEM simulator.The simulated SEM experiment proceeds as follows: Input: n ∈ N , (cid:102) , (cid:104) : { , } ∗ → { , } ∗ efficiently computable and poly-nomially bounded in the input bit size, M := ( M n ) n , where M n areprobability distributions over X n with |M n | = poly ( n ) k ← KGen m ← M n f ← S ( (cid:104) ( m )) if f = (cid:102) ( m ) then Output: else Output: Definition 3.17 (Semantic Security (SEM)) . A SKES E is semantically se-cure (SEM) iff, for any SEM adversary A there exists a SEM simulator S such that, for every efficiently computable (cid:102) , (cid:104) : { , } ∗ → { , } ∗ polynomi-ally bounded in the input bit size, for every probability ensemble M := ( M n ) n ,where M n are probability distributions over X n with |M n | = poly ( n ) , it holds: (cid:12)(cid:12)(cid:12) Pr h Game
SEM E , A ( M , (cid:102) , (cid:104) ) → i − Pr h Game
SEM ∗E , S ( M , (cid:102) , (cid:104) ) → i(cid:12)(cid:12)(cid:12) ≤ negl , where the probabilities are taken over the randomness of A , E , M , S . Intuitively, the notion of SEM tells us the following: any information aboutthe plaintext the adversary could guess from the ciphertext, could also beguessed by only looking at publicly available information. That means, theciphertext does not leak any meaningful information about the plaintext. Thissecurity notion captures in a very complete way what we want from an en-cryption scheme, but it has the drawback of being quite involved formally,and cumbersome to use in security proofs. Because of this, different notionsof security are often used, which are equivalent to SEM but easier to formalize.
Ciphertext Indistinguishability
Another notion of security for encryption schemes is indistinguishability of ci-phertexts (IND) . Unlike SEM, this notion is game-based instead of simulation-based: there is no simulator at all, and security requires that no reasonableadversary can win a certain security game with probability substantially betterthan merely guessing. The IND security game consists in distinguishing theencryption of two different plaintexts (chosen by the adversary). Although,unlike in the case of SEM, it is unclear at a first glance that IND captures ina complete way exactly what we require from a ‘secure’ encryption scheme,we will see that the two notions are actually equivalent.As in SEM, we model IND adversaries as
PPT algorithms, as we are in-terested in computational security. However, in the IND game it is usually2
Chapter 3. QS
0: Classical Security convenient to separate the adversary in two stages , each one with a specificfunction. The first stage, the message generator M , chooses two messagesfrom the plaintext space – the idea being that, in order to achieve the strongestsecurity notion, the adversary is allowed to choose the most favourable sce-nario when playing this game. Then, one of these two messages is selectedat random and encrypted with a key unknown to the adversary. Finally,the second stage of the adversary, the distinguisher D , receives the resultingciphertext, and his goal is to guess which one of the two plaintexts was en-crypted. Formally, the adversary outputs a bit, and he wins the game if thatbit is equal to the secret bit used to select one of the two plaintexts.More formally, we define an IND adversary as follows.
Definition 3.18 (IND Adversary) . Let E be a SKES. An IND adversary A for E is a pair of PPT algorithms A := ( M , D ) , where:1. M : → X × X × { , } ∗ is the IND message generator ;2. D : Y × { , } ∗ → { , } is the IND distinguisherThe security experiment related to the IND notion is as follows.
Experiment 3.19 ( Game
IND E , A ) . Let E be a SKES, and A := ( M , D ) an INDadversary. The IND experiment proceeds as follows: Input: n ∈ N k ← KGen ( m , m , state ) ← M b $ ←− { , } c ← Enc k ( m b ) . this is called ‘IND challenge query’ b ← D ( c, state ) if b = b then Output: else Output: The advantage of A is defined as: Adv
IND E , A := Pr h Game
IND E , A → i − . Notice the following: • D and M are part of the same ‘entity’ (the IND adversary A ), so thatthey should be allowed to exchange information. In particular, D shouldknow which are the two original messages generated by M . In thesecurity game, this is modeled by exchanging a state string state from M to D (obviously this string has bit size at most polynomial in thesecurity parameter since M is PPT .) .2. Secret-Key Encryption Schemes • There is no need to impose the condition that the two plaintexts gen-erated by M must be distinct, as the security notion requires that all adversaries (including those who choose distinct messages) fail at win-ning the game. • Since there are only two messages to choose from, the adversary canalways win with 50% probability by guessing randomly. Therefore, theadvantage of the adversary is measured in terms of doing better thanmerely guessing. • The probability is over b and the internal randomness of A and KGen . Definition 3.20 (Indistinguishability of Ciphertexts (IND)) . A SKES E has indistinguishable encryptions (or, it is IND secure) iff, for any IND adversary A it holds that: Adv
IND E , A ≤ negl . The advantage of the IND notion is that, being game-based, it is easier touse in cryptographic reductions. At the same time, one can show that it isequivalent to IND.
Theorem 3.21 ([Gol04]) . A SKES is IND secure iff it is SEM secure.
Moreover, it has to be mentioned that the choice of defining the IND gamein terms of two different messages is not compulsory: there are alternativedefinitions of the game where M only generates a message, and the other iseither chosen randomly or set to 0, or where M generates polynomially manymessages, and one of them is selected for the encryption. All these notionsturn out to be equivalent, with small modifications.An example of (unconditionally) IND secure SKES is the OTP.The notions of IND can be augmented, i.e., made stronger , by grantingextra power to the IND adversary in the form of oracles . Since the adversaryacquires additional computational power in so doing, it might be the case thatIND secure schemes now become insecure because of this extra power. There-fore, the resulting security notions are (potentially) stronger, and encryptionschemes which are resistant against the new, augmented adversaries are auto-matically resistant to the weaker adversaries as well. The more power is givento the adversaries, the potentially stronger the security notion.Traditionally, oracles have been used to model attack scenarios not coveredby the IND notion alone. Of course, one could simply give the adversaryunlimited access to a decryption oracle and make him super powerful. Butthat would make the security notion so strong to be unachievable – after all,SKES are not meant to protect by adversaries in possession of the secret key.Instead, other scenarios are considered.4 Chapter 3. QS
0: Classical Security
Chosen Plaintext Attacks
In the chosen plaintext attack (CPA) scenario, the adversary is able to seeencryptions of additional messages, in addition to the ones used in the INDgame. He is allowed to choose the plaintexts to be encrypted by querying theencryption oracle
Enc k during the execution of the IND game. Moreover, hecan perform the oracle queries in an adaptive way, i.e., reacting adaptivelyto the oracle’s answers, for a polynomial number of queries, both before andafter the IND challenge query. The resulting security game is as follows. Experiment 3.22 ( Game
IND − CPA E , A ) . Let E be a SKES, and A := ( M , D ) anIND adversary. The IND-CPA experiment proceeds as follows: Input: n ∈ N k ← KGen ( m , m , state ) ← M Enc k b $ ←− { , } c ← Enc k ( m b ) b ← D Enc k ( c, state ) if b = b then Output: else Output: The advantage of A is defined as: Adv
IND − CPA E , A := Pr h Game
IND − CPA E , A → i − . Definition 3.23 (Indistinguishability of Ciphertexts under Chosen PlaintextAttack (IND-CPA)) . A SKES E has indistinguishable encryptions under cho-sen plaintext attack (or, it is IND-CPA secure) iff, for any IND adversary A it holds that: Adv
IND − CPA E , A ≤ negl . As discussed above, IND-CPA is clearly at least as strong as IND.
Theorem 3.24 (IND-CPA = ⇒ IND) . If a SKES is IND-CPA secure, thenit is also IND secure.
But the converse is not true. In particular, all the encryption schemes thatare not randomized cannot be IND-CPA secure, because then the adversarycould always win the security game by first encrypting two messages of hischoice, then performing the IND challenge, and then compare the resultingciphertext with the encryption previously obtained. As an example, the OTPis not IND-CPA secure, despite being IND secure.
Theorem 3.25 (IND = ⇒ IND-CPA) . There exist SKES which are INDsecure, but not IND-CPA secure. .2. Secret-Key Encryption Schemes
Construction 3.26 ([Gol04, Construction 5.3.9]) . Let F : X → Y be a PRFwith key space K . Define E = E K , Y , Y×X := (
KGen , Enc , Dec ) as a SKES withkey space K , plaintext space Y , and ciphertext space Y × X , as follows:1.
KGen → k , with k $ ←− K ;2. Enc k ( x ) → ( y, r ) , with y := x ⊕ F k ( r ) , where r $ ←− X ;3. Dec sk ( y, r ) := y ⊕ F k ( r ) . Theorem 3.27.
Construction 3.26 is an IND-CPA SKES.Proof (sketch).
The one-time pad is perfectly (statistically) secure if used withrandom, independent keys. This means that the only way to break the securityof E is to break the security of F . Since a fresh randomness r is chosen forevery encryption, and since the image F k ( r ) can be recovered by the relatedplaintext/ciphertext pairs, giving oracle access to Enc k for the adversary isequivalent to giving oracle access to F k . However, by Definition 3.5, this isindistinguishable from a random oracle for any PPT adversary, so that thesecurity of the one-time pad carries over, although only computationally.Then, recalling Corollary 3.4 and Theorem 3.7, we can state the following.
Corollary 3.28 (IND-CPA SKES from OWF) . If OWFs exist, then IND-CPA SKES exist.
Non-Adaptive Chosen Ciphertext Attacks
In the non-adaptive chosen ciphertext attack (CCA1) scenario, in additionto the IND-CPA capabilities, the adversary is able to also see decryptions ofcertain ciphertexts. As in the CPA case, he is allowed to choose the ciphertextsto be decrypted by querying the decryption oracle
Dec k during the executionof the IND game. However, unlike in the CPA case, he is only able to interactwith this oracle before the IND challenge query, and not afterward. Theadversary is allowed to perform the decryption oracle queries in an adaptiveway, for a polynomial number of queries, but only before the IND challengequery, hence the term ‘non-adaptive’ . Notice, in fact, that if the adversarywere able to perform arbitrary decryption queries after the challenge query aswell, this would allow him to decrypt the challenge ciphertext, and thereforeit would render the security notion unachievable.The resulting security game for the CCA1 scenario is as follows. Admittedly, this well-established term in the scientific literature is somewhat mislead-ing, because this ‘non-adaptivity’ refers to ‘in respect to the challenge ciphertext’, while thequeries to the decryption oracle can actually be performed adaptively. Chapter 3. QS
0: Classical Security
Experiment 3.29 ( Game
IND − CCA1 E , A ) . Let E be a SKES, and A := ( M , D ) anIND adversary. The IND-CCA1 experiment proceeds as follows: Input: n ∈ N k ← KGen ( m , m , state ) ← M Enc k , Dec k b $ ←− { , } c ← Enc k ( m b ) b ← D Enc k ( c, state ) if b = b then Output: else Output: The advantage of A is defined as: Adv
IND − CCA1 E , A := Pr h Game
IND − CCA1 E , A → i − . Definition 3.30 (Indistinguishability of Ciphertexts under Non-AdaptiveChosen Ciphertext Attack (IND-CCA1)) . A SKES E has indistinguishableencryptions under non-adaptive chosen ciphertext attack (or, it is IND-CCA1secure) iff, for any IND adversary A it holds that: Adv
IND − CCA1 E , A ≤ negl . IND-CCA1 is clearly at least as strong as IND-CPA.
Theorem 3.31 (IND-CCA1 = ⇒ IND-CPA) . If a SKES is IND-CCA1secure, then it is also IND-CPA secure.
But the converse is not true. There are IND-CPA secure SKES where,being able to decrypt different but related ciphertexts, can leak informationabout the secret key used.
Theorem 3.32 (IND-CPA = ⇒ IND-CCA1) . There exists a SKES which isIND-CPA secure, but not IND-CCA1 secure.Proof (sketch).
Consider a SKES E = ( KGen , Enc , Dec ) obtained by modi-fying another, IND-CPA secure SKES E = ( KGen , Enc , Dec ) as follows:1.
KGen → ( k, m ),where k ← KGen , and m is a special message, unknown to the adversary;2. Enc k ( m ) → ( ( Enc k ( m ) , Enc k ( m )) if m = m, ( Enc k ( m ) , k ) otherwise;3. Dec k ( y, z ) = Dec k ( y ). .2. Secret-Key Encryption Schemes E is still IND-CPA secure, because the probability for anyadversary of guessing the plaintext m is negligible. However, in the CCA1scenario it is trivial to break such modified scheme, by first performing a CPAquery to obtain a valid ciphertext, then performing a CCA1 decryption queryon the ciphertext obtained by swapping the two ciphertext halves, thereforerecovering m , and then performing another CPA query on m , hence recoveringthe secret key.However, Construction 3.26 is also IND-CCA1. Theorem 3.33.
Let E be the SKES from Construction 3.26. Then E is anIND-CCA1 SKES.Proof (sketch). Being able to perform decryption queries (before the challengephase) gives to the adversary the possibility to forge new ciphertexts different(but related in a known way) to some other ciphertext of his choice. However,before the challenge phase, this does not provide any extra power, except thepossibility of performing (polynomially many) extra queries to the PRF.Then, recalling Corollary 3.4 and Theorem 3.7, we can state the following.
Corollary 3.34 (IND-CCA1 SKES from OWF) . If OWFs exist, then IND-CCA1 SKES exist.
Adaptive Chosen Ciphertext Attacks
Finally, in the adaptive chosen ciphertext attack scenario, in addition to theIND-CCA1 capabilities, the adversary is able to query the decryption oraclealso after the challenge query, with an important exception : he is not allowedto query
Dec k on the challenge ciphertext received. This restriction is neces-sary, as we have already discussed in the CCA1 case, otherwise the adversarycould simply decrypt the challenge ciphertext and trivially win the game, andthis would make the security notion unachievable. Formally, we have thereforeto define a ‘modified’ decryption oracle, which is able to reject certain ‘forbid-den’ decryption queries (those trying to decrypt the challenge ciphertext), byreplying with a special symbol ⊥ to those queries. Definition 3.35 (CCA2 Oracle) . Let E := ( KGen , Enc , Dec ) be a SKES, and c ∈ Supp ( Enc ) . The CCA2 decryption oracle rejecting c is defined by: Dec ck ( c ) −→ ( Dec k ( c ) if c = c, ⊥ otherwise. The new security game is defined as follows.
Experiment 3.36 ( Game
IND − CCA2 E , A ) . Let E be a SKES, and A := ( M , D ) anIND adversary. The IND-CCA2 experiment proceeds as follows: Chapter 3. QS
0: Classical Security Input: n ∈ N k ← KGen ( m , m , state ) ← M Enc k , Dec k b $ ←− { , } c ← Enc k ( m b ) b ← D Enc k , Dec ck ( c, state ) if b = b then Output: else Output: The advantage of A is defined as: Adv
IND − CCA2 E , A := Pr h Game
IND − CCA2 E , A → i − . Definition 3.37 (Indistinguishability of Ciphertexts under Adaptive ChosenCiphertext Attack (IND-CCA2)) . A SKES E has indistinguishable encryp-tions under adaptive chosen ciphertext attack (or, it is IND-CCA2 secure) iff,for any IND adversary A it holds that: Adv
IND − CCA2 E , A ≤ negl . IND-CCA2 is clearly at least as strong as IND-CCA1.
Theorem 3.38 (IND-CCA2 = ⇒ IND-CCA1) . If a SKES is IND-CCA2secure, then it is also IND-CCA1 secure.
But the converse is not true. There exist IND-CCA1 secure SKESs wherean adversary able to decrypt ciphertexts which are different, but related, to thechallenge ciphertext, can find out information about the underlying plaintext.
Theorem 3.39 (IND-CCA1 = ⇒ IND-CCA2) . There exist SKES which areIND-CCA1 secure, but not IND-CCA2 secure.Proof (sketch).
The counterexample is given by Construction 3.26, as alreadyhinted in the proof of Theorem 3.33. Being able to forge a valid ciphertextrelated in a controlled way to a target challenge ciphertext c allows the ad-versary to ask for decryptions of such ciphertexts without violating the CCA2limitation that the ciphertext must be different from the challenge one. Forexample, the adversary might be able to ask for a decryption of c ⊕ . . . m ⊕ . . .
1, where m was the original plaintext.Finally, although we are not going to write it down formally, it is possibleto extend the SEM security notion to CPA, CCA1, and CCA2 scenarios aswell, obtaining the security notions SEM-CPA, SEM-CCA1, and SEM-CCA2respectively. Each of them can be shown to be equivalent to their IND coun-terpart. The situation is summarized in Figure 3.1. .3. Public-Key Encryption Schemes Figure 3.1: Relations for SKES security notions in QS Another important cryptographic primitive are public-key encryption schemes(PKES) . Analogously to SKES, PKES work by encrypting messages from aplaintext space X to a ciphertext space Y , and decrypting ciphertexts the otherway around. The difference this time is that the key generation algorithmgenerates pairs of keys: a public-key pk which is only used to encrypt, anda secret key sk which is only used to decrypt. W.l.o.g. we assume that, forsecurity parameter n , public keys are of bit size (cid:112) ( n ), while secret keys are ofbit size (cid:115) ( n ), where (cid:112) , (cid:115) are polynomial functions determined by the schemeconsidered. Under this notation, we identify the (public, private) keyspace K as ( K n ) n = ( K (cid:112) n ) n × ( K (cid:115) n ) n =: K (cid:112) × K (cid:115) ⊂ { , } (cid:112) ( n ) × { , } (cid:115) ( n ) . Definition 3.40 (Public-Key Encryption Scheme (PKES)) . A public-key en-cryption scheme (PKES) with plaintext space X , ciphertext space Y , and keyspace K := K (cid:112) ×K (cid:115) is a tuple of PPT algorithms E := E K , X , Y := ( KGen , Enc , Dec ) :1. KGen : → K ;2. Enc : K (cid:112) × X → Y ;3. Dec : K (cid:115) × Y → X ∪ {⊥} ;such that ∀ n ∈ N , ∀ x ∈ X , ∀ ( pk , sk ) ← KGen = ⇒ Dec ( sk , Enc ( pk , x )) = x . As in the case of SKES, the following hold: • we assume w.l.o.g. that n is also appended to every pk and every sk such that ( pk , sk ) ← KGen , so that every key also implicitly contains thesecurity parameter. • As a shorthand notation, we will write
Enc pk meaning the Enc algorithmwith pk ∈ K (cid:112) fixed as a first input; analogously for Dec sk . • If Enc pk is probabilistic for all pk ∈ K (cid:112) , then we say that E is randomized ,otherwise we say that E is deterministic .0 Chapter 3. QS
0: Classical Security
The notions of security for PKES are basically the same as the ones forSKES, with two important differences:1. because the public keys are, in fact, public, all the parties (includingevery stage of any adversary) can perform encryptions in polynomialtime. Therefore, all parties have oracle access to
Enc pk . In particular,giving M and D the public key pk as input also implies access to Enc pk .2. As an immediate consequence, notice that for PKES, IND-CPA is the minimal meaningful security notion. In fact, if E is a PKES and A anIND adversary for E , notice that Game
IND − CPA E , A = Game
IND E , A Encpk .Finally, as in the SKES case, it is clear that for a PKES to be IND-CPA secure, Supp (
KGen ( n )) must be superpolynomial in n – actually, both (cid:12)(cid:12)(cid:8) pk ∈ K (cid:112) n (cid:9)(cid:12)(cid:12) and |{ sk ∈ K (cid:115) n }| must be superpolynomial in n .IND-CPA secure PKES can be built from OWTPs. Assume for simplicitythat X = { , } n . Then we define the following. Construction 3.41 (PKES from OWTP) . Let P := ( Gen , Eval , Invert ) bea OWTP on X , with index and trapdoor spaces I and T respectively, andlet G P : X → X be the Goldreich-Levin PRNG for P (seen as a OWF withhard-core predicates). Define E = E K , X , X := ( KGen , Enc , Dec ) as a PKESwith (public,private) key space K = K (cid:112) × K (cid:115) (where K (cid:112) := I and K (cid:115) := T ,plaintext space X , and ciphertext space X , in the following way:1. KGen → ( pk , sk ) , with ( pk , sk ) := ( i, t ) ← Gen ;2.
Enc pk ( x ) → ( y, z ) ,with y := x ⊕ G P ( r ) and z ← Eval ( pk , r ) , where r $ ←− X ;3. Dec sk ( y, z ) := y ⊕ G P ( s ) , where s ← Invert ( pk , sk , z ) . Theorem 3.42 (IND-CPA PKES from OWTP) . Construction 3.41 is anIND-CPA secure PKES.Proof (sketch).
If we omit the second half z of the ciphertext, then the indis-tinguishability of the encryptions immediately follows from the information-theoretical security of the OTP, as the key r of the OTP is always sampledindipendently and uniformly at random, and the output from the PRNG iscomputationally indistinguishable from random. So the only way to attackthe scheme would be to extract information about the seed r of the PRNG,by looking at the OWTP image z obtained through Eval . However, since G P only outputs a sequence built from hard-core bits of P , this would violate theone-wayness of the OWTP. .4. Digital Signature Schemes Digital signature schemes (DSS) are another fundamental cryptographic build-ing block for many other advanced constructions. In a DSS, each user has aunique private/public key pair, as in PKES. However, the goal is not to pro-tect the secrecy of the message, but its authenticity , intended as assuranceabout the identity of the originator of the message, and integrity , intendedas a guarantee that the original message sent by the originator has not beenaltered prior to being received. This is achieved by computing a piece of in-formation (the signature ) to attach to a message, in such a way that everyonecan verify that such signature could not be computed without possession ofa specific secret key. More in detail, the signature is computed by the sender of a message using the sender’s private key, and it is attached to the message.The verifier , upon receiving the message, checks the validity of the signatureby using the sender’s public-key. The signature is a (short) message– andsecret-key– specific bit string, with the following properties:1. for any message and any secret-key, it is efficiently computable; and2. for any message, it is hard to generate a valid signature for any public-key without having the corresponding secret-key.More formally, and borrowing the notation used in Section 3.3, we definea DSS as follows.
Definition 3.43 (Digital Signature Scheme (DSS)) . A digital signature scheme(DSS) with message space X , signature space T , and key space K := K (cid:112) × K (cid:115) is a tuple of PPT algorithms (cid:83)(cid:105)(cid:103) := (cid:83)(cid:105)(cid:103) K , X , T := ( KGen , Sign , SigVerify ) :1. KGen : → K ;2. Sign : K (cid:115) × X → T ;3. SigVerify : K (cid:112) × X × T → { , } ;such that the following correctness condition holds: ∀ n ∈ N , ∀ x ∈ X , ∀ ( pk , sk ) ← KGen , ∀ sig ← Sign ( sk , x )= ⇒ SigVerify ( pk , x, sig ) = 1 . As in the case of SKES, the following hold: • we assume w.l.o.g. that n is also appended to every pk and every sk such that ( pk , sk ) ← KGen , so that every key also implicitly contains thesecurity parameter. • As a shorthand notation, we will write
Sign sk meaning the Sign algorithmwith sk ∈ K (cid:115) fixed as a first input; analogously for SigVerify pk .2 Chapter 3. QS
0: Classical Security
Existential Unforgeability
The notions of security for DSS is given in terms of (strong) existential unforge-ability under chosen message attack (there are also weaker notions, but we willnot use them here). An adversary is successful if he manages to create a validsignature for a message and public-key without having the corresponding se-cret key, even after observing a polynomial number of valid message/signaturepairs.
Experiment 3.44 ( Game
EUF − CMA (cid:83)(cid:105)(cid:103) , A ) . Let (cid:83)(cid:105)(cid:103) be a DSS, and A a PPT algo-rithm. The
EUF-CMA experiment proceeds as follows: Input: n, q s ∈ N ( pk , sk ) ← KGen ( x, sig ) ← A Sign sk ( pk ) after making at most q s queries to Sign sk , receivingsignatures ( x , sig ) , . . . ( x q s , sig q s ) if SigVerify ( pk , x, sig ) = 1 and (cid:120) = (cid:120) i ∀ i = 1 , . . . , q s then Output: else Output: The advantage of A is defined as: Adv
EUF − CMA (cid:83)(cid:105)(cid:103) , A ( n, q s ) := Pr h Game
EUF − CMA (cid:83)(cid:105)(cid:103) , A ( n, q s ) → i . Sometimes we also consider a slightly different version of Experiment 3.44,where the public/private key pair is given as an input to the game instead ofbeing generated randomly. This is useful if we want to target a specific publickey during some security reduction.
Definition 3.45 (Existential Unforgeability under Chosen Message Attack(EUF-CMA)) . A DSS (cid:83)(cid:105)(cid:103) is existentially unforgeable under chosen messageattack (or, it is EUF-CMA secure) iff, for any PPT algorithm A it holds that: Adv
EUF − CMA (cid:83)(cid:105)(cid:103) , A ≤ negl . Signatures in the Random Oracle Model
For certain applications it makes sense to investigate the security proper-ties of signature schemes in the random oracle model. Recall that, in theROM, all the parties involved gain access to an oracle O (cid:104) , where (cid:104) is afunction chosen uniformly at random from the set of all functions on certainspaces. This also means, in particular, that Definition 3.43 changes by al-lowing KGen , Sign , SigVerify oracle access to O (cid:104) . The resulting security modelchanges as follows. Experiment 3.46 ( Game
EUF − CMA − RO (cid:83)(cid:105)(cid:103) , A ) . Let (cid:83)(cid:105)(cid:103) be a DSS, O (cid:104) a randomoracle (computing a function (cid:104) selected uniformly at random), and A a PPT algorithm. The
EUF-CMA-RO experiment proceeds as follows: .5. The Fiat-Shamir Transformation Input: n, q s , q h ∈ N ( pk , sk ) ← KGen O (cid:104) ( x, sig ) ← A Sign sk , O (cid:104) ( pk ) after making at most q h queries to O (cid:104) , and q s queries to Sign sk receiving signatures ( x , sig ) , . . . ( x q s , sig q s ) if SigVerify ( pk , x, sig ) = 1 and (cid:120) = (cid:120) i ∀ i = 1 , . . . , q s then Output: else Output: The advantage of A is defined as: Adv
EUF − CMA − RO (cid:83)(cid:105)(cid:103) , A ( n, q s , q h ) := Pr h Game
EUF − CMA − RO (cid:83)(cid:105)(cid:103) , A ( n, q s , q h ) → i . Definition 3.47 (Existential Unforgeability under Chosen Message Attackin the Random Oracle Model (EUF-CMA-RO)) . A DSS (cid:83)(cid:105)(cid:103) is existentiallyunforgeable under chosen message attack in the random oracle model (or, itis EUF-CMA-RO secure) iff, for any PPT algorithm A it holds that: Adv
EUF − CMA − RO (cid:83)(cid:105)(cid:103) , A ≤ negl . The Fiat-Shamir (FS) transformation [FS86] is a well known method to removeinteraction in three-move identification schemes between a prover and verifier(also called Σ -protocol ), by letting the verifier’s challenge ch be determinedvia a hash function (cid:104) applied to the prover’s first message com . Currently, theonly generic, provably secure instantiation is by modeling the hash function (cid:104) as a random oracle [BR93, PS00]. In this section, we will investigate thesecurity of the FS transformation when applied to a Σ-protocol ( P , V ) in orderto obtain a DSS (cid:83)(cid:105)(cid:103) , which we call the FS transform of ( P , V ). Hard Languages
Let
L ∈ NP be a language with a (polynomially computable) relation R , i.e., ∀ x : x ∈ L ⇔ ∃ w ∈ W ⊂ { , } poly ( | x | ) : ( x, w ) ∈ R . In this case we alsowrite that x ∈ L n and ( x, w ) ∈ R n , for n = | x | . For using L in cryptographicapplications, we need to discuss the following two issues:1. given a statement x ∈ L , how hard is to find a valid witness for x ? And,2. is it possible at all to find valid pairs ( x, w ) ∈ R in an efficient way?For an interesting security notion, finding a witness from x alone shouldbe infeasible for computationally bounded adversaries. On the other hand, itis useful to have a way to efficiently sample elements from the relation.4 Chapter 3. QS
0: Classical Security
To this end we assume the existence of an efficient hard instance generator
Inst , which on input the security parameter n outputs a pair ( x, w ) ∈ R n suchthat no PPT algorithm can find valid witnesses for the overwhelming majorityof statements contained in any of
Inst ’s output. If L admits a hard instancegenerator, we say that L is a hard language . Definition 3.48 (Hard Language and Instance Generator) . Let R be an NP relation between language L and witness space W . A PPT algorithm
Inst is a hard instance generator for R iff the following hold:1. ( x, w ) ∈ R n , for any ( x, w ) ← Inst ; and2. for any
PPT algorithm A it holds: Pr ( x,w ) ← Inst [( x, A ( x )) ∈ R ] ≤ negl . If L admits a hard instance generator, we say that L is a hard language ,and we denote it by L W , R , Inst . Notice that the existence of a hard instance generator does not mean thatit is hard to find a valid witness for any statement in L . But this certainlyholds for the vast majority of those statements in the subclass output by Inst . Moreover, the cardinality of this subclass is at least superpolynomialin n (otherwise PPT algorithms with oracle access to
Inst could find validwitnesses by exhaustive search). This fact is used in the following paragraphsabout the
Fiat-Shamir transformation in order to show that large enoughcommitment spaces can be built from hard languages. Candidates for hardlanguages are at the base of many cryptographic constructions, and stem from NP problems such as graph isomorphism [GMW86], decisional Diffie-Hellmanfor finite groups [Bon98], and many others. Identification Schemes An identification scheme (IS) between a prover P and a verifier V is an inter-active protocol which allows P to prove his identity to V . By ‘proving identity’we mean ‘proving a statement about one’s identity’. This is usually done withthe help of a hard language L W , R , Inst where every user identity is bound toa certain statement; in practice, identities are usually linked to some publickey, and for the prover to succeed he must prove ownership of the correspond-ing private key. We write d ← ( P ( x, w ) , V ( x )) for the final outcome of theprotocol, where d ∈ { , } is a bit denoting the final decision (acceptance orrejection) of the verifier.ISs are related to a class of cryptographic objects known as interactiveproofs of knowledge . Traditionally, the security notion for an IS is basedon impersonation security , which intuitively states that no efficient adversaryshould be able to make V accept a statement x without knowing a valid witness .5. The Fiat-Shamir Transformation w . However, for the scope of this work, a weaker notion of security (whichwe call weak impersonation security ) suffices. In this notion, additional effortis required for an adversary to be successful. Namely, given a statement x ,the adversary should be able, after interacting with ( P , V ), to output a validwitness for x , breaking the security of the hard language. This, in particular,would allow the adversary to make V accept the execution of the scheme (butthe converse is not necessarily true, that is why this notion is called ‘weak’).Moreover, weak security comes in two variants, depending on the level ofinteraction that the adversary is allowed to have with ( P , V ). For passive adversaries, the only allowed interaction is given by observing and recordingthe executions of (at most polynomially many) sequential instances of the ISfor a given statement. Therefore, passive weak security only relies on thehardness of the language L W , R , Inst . Definition 3.49 (Passively and Weakly Secure Identification Scheme (PW-SIS)) . A passively and weakly secure identification scheme (PWSIS) , ( P , V ) for a hard language L W , R , Inst is an interactive protocol between two
PPT al-gorithms P and V satisfying: ∀ n, ∀ ( x, w ) ← Inst = ⇒ ( P ( x, w ) , V ( x )) → . An active adversary, instead, is also allowed to interact directly with P ( x, w ) by impersonating V , and its goal is to output a valid witness for x given this interaction. That is, an active adversary A := ( A , A ) is a pas-sive adversary who has also access to P ( x, w ) (seen as oracles). However, inorder to avoid trivial breaks of the identification scheme (e.g., by man-in-the-middle attacks), during the security game the adversary can only be activebefore actually seeing x , and becomes passive afterwards. We express this as A P ( x,w )1 ( x ). Obviously, if an IS is weakly secure against active attacks, it isalso secure against passive attacks, but the converse does not necessarily hold.More formally, we define the following. Definition 3.50 (Actively Weakly Secure Identification Scheme (AWSIS)) . An actively and weakly secure identification scheme (AWSIS) , ( P , V ) for ahard language L W , R , Inst is a PWSIS (according to Definition 3.49) such that,for every
PPT algorithms A , A , the following holds: Pr ( x,w ) ← Inst h ( x, A ( x, A P ( x,w )1 ( x ))) ∈ R i ≤ negl . Σ -Protocols A Σ-protocol for a hard language L W , R , Inst between a prover P and a veri-fier V is a 3-step interactive protocol which allows P to convince V that heknows a witness w for a public theorem x ∈ L , without giving to V non-trivial information beyond this fact. Informally, a Σ-protocol ( P , V ) consists6 Chapter 3. QS
0: Classical Security of an interactive exchange of three messages ( com , ch , resp ) where the firstmessage com (the commitment ) is sent by P , the second message ch (the challenge ) is sampled uniformly from a challenge space by V , and the lastmessage resp (the response ) is computed by P by using the witness. We write( com , ch , resp ) ← ( P ( x, w ) , V ( x )) for the randomized output (the communi-cation transcript ) of an interaction between P and V . We denote individualmessages of the (stateful) prover in such an execution by com ← P ( x, w ) and resp ← P ( x, w, com , ch ), respectively. Analogously, we denote the verifier’ssteps by ch ← V ( x, com ) for the challenge step, and d ← V ( x, com , ch , resp )for the final decision, where d ∈ { , } is a bit denoting acceptance or rejection.More formally, we define the following. Definition 3.51 (Σ-Protocol) . A Σ -protocol ( ‘sigma-protocol’ ) ( P , V ) for ahard language L W , R , Inst is a -move interactive protocol with exchange of mes-sages com , ch , resp between two PPT algorithms P and V satisfying the follow-ing properties:1. Completeness: ∀ n ∈ N , ( x, w ) ∈ R n , ( com , ch , resp ) ← ( P ( x, w ) , V ( x )) it holds that: V ( x, com , ch , resp ) = 1 .2. Public-Coin: ∀ n ∈ N , ( x, w ) ∈ R n , com ← P ( x, w ) , the challenge dis-tribution ch ← V ( x, com ) is uniform on { , } poly ( n ) .3. Special Soundness: there exists a
PPT algorithm J (the extractor )such that, given two valid transcripts ( com , ch , resp ) and ( com , ch , resp ) for x ∈ L (with ch = ch ) and V ( x, com , ch , resp ) = V ( x, com , ch , resp ) = 1 ,the extractor outputs a witness w ← J ( x, com , ch , resp , ch , resp ) for x ,satisfying ( x, w ) ∈ R .4. Honest-Verifier Zero-Knowledge (HVZK): there exists a
PPT al-gorithm S (the zero-knowledge simulator ) which, on input x ∈ L , out-puts a transcript ( com , ch , resp ) that is computationally indistinguishablefrom a valid transcript derived in a ( P , V ) interaction. That is, for any PPT algorithm V = ( V , V ) , the following two distributions are statisti-cally indistinguishable: Input: n ∈ N ( x, w, state ) ← V ∗ if ( x, w ) ∈ R then ( com , ch , resp ) ← ( P ( x, w ) , V ( x )) else ( com , ch , resp ) := ( ⊥ , ⊥ , ⊥ ) b ← V ∗ ( com , ch , resp , state ) Output: b Input: n ∈ N ( x, w, state ) ← V ∗ if ( x, w ) ∈ R then ( com , ch , resp ) ← S ( x ) else ( com , ch , resp ) := ( ⊥ , ⊥ , ⊥ ) b ← V ∗ ( com , ch , resp , state ) Output: b .5. The Fiat-Shamir Transformation Theorem 3.52 (Σ-Protocols as IS) . Let ( P , V ) be a Σ -protocol. Then ( P , V ) is a PWSIS. It is important to notice two things in the above theorem: • HVZK is not necessary for Theorem 3.52 to hold; and • a Σ-protocol may or may not be also an AWSIS. The FS Transformation applied to Σ -Protocols The Fiat-Shamir transformation of a Σ-protocol ( P , V ) is a modification ofthe protocol where the computation of ch is done as ch ← (cid:104) ( x, com ) insteadof ← V ( x, com ). Here, (cid:104) is a public hash function which is usually modeledas a random oracle O (cid:104) ; in this case we speak of the Fiat-Shamir (FS) trans-formation of ( P , V ) in the random-oracle model . Note that we include x inthe hash computation, but all of our results remain valid if x is omitted fromthe input. If applying the FS transformation to a Σ-protocol, one obtains asignature scheme, if the hash computation also includes the message m to besigned. We call the resulting signature scheme FS transform of ( P , V ) in theROM , and we denote it by (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ). Definition 3.53 (FS Transform of a Σ-Protocol) . Let ( P , V ) be a Σ -protocolfor a hard language L W , R , Inst , with commitment space X , challenge space Y ,and response space Z . Let O (cid:104) be a random oracle for a random function (cid:104) : L × X × M → Y . The
FS transform of ( P , V ) in the ROM, (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ) ,is a DSS with message space M , signature space T := X × Y × Z , and keyspace K := L × W , defined as follows:1.
KGen → ( pk , sk ) , where ( pk , sk ) := ( x, w ) ← Inst Sign O (cid:104) ( sk , m ) → sig := ( com , ch , resp ) ,where com ← P ( pk , sk ) , ch := (cid:104) ( pk , com , m ) ,and resp ← P ( pk , sk , com , ch ) SigVerify O (cid:104) ( pk , m, sig ) → b ,where sig := ( com , ch , resp ) , b ← V ( pk , com , (cid:104) ( pk , com , m ) , resp )Notice that in the above signature the challenge ch can always be omitted(and it is infact ignored in the verification step), because it is recovered bycomputing (cid:104) on the message, the commitment, and the public key. In thiscase we define the signature space of the DSS as T := X × Z . The followingtheorem states that the above construction yields secure DSSs in the ROM.8
Chapter 3. QS
0: Classical Security
Theorem 3.54 (Security of a Fiat-Shamir Transform [PS00]) . Let ( P , V ) bea Σ -protocol. Then (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ) is an EUF-CMA-RO secure DSS.Sketch. The proof of this theorem uses rewinding. Intuitively, given a state-ment x and an adversary forging a signature for the DSS, this is used toextract a transcript ( com , ch , resp ) for the underlying Σ-protocol. After that,the adversary is rewound, and the random oracle reprogrammed, in such away that letting the adversary run again with the new oracle yields a relatedtranscript ( com , ch , resp ) for the same com but ch = ch . This, in turn, al-lows to use the special soundness property to extract a valid witness for x ,therefore breaking the weak security of the underlying Σ-protocol, in contrastto Theorem 3.52. In this chapter we have presented many different cryptographic objects, inorder of growing technical complexity. As a last example, we conclude withthe concept of
Oblivious Random Access Machine (ORAM) , and we defineand analyze security models against classical adversaries.Defining ORAMs in a fully formal way is a long, delicate, and strenuoustask [GO96]. Therefore, in the following we will use a simplified model (in-troduced in [GKK17]) which covers most of the existing ORAM constructionswithout delving too much into the fine print - but still retaining a reasonablelevel of formalism - and which has the advantage of being much easier to treat.Informally, an ORAM is an interactive protocol between two parties: a client C and a server S , which we model as two PPT
Turing machines (or, inour case, uniform families of circuits) sharing a communication tape (circuitregister) Ξ to exchange data. In this scenario, a computationally limited C wants to outsource a database (DB) to the more powerful S . Moreover, C wants to perform operations on the DB (by interactively communicating with S ) in such a way that S , or any other honest-but-curious adversary A havingread-only access to Ξ and S ’s internal memory, cannot determine the natureof such operations. The security notion for ORAM schemes is therefore aparticular notion of privacy .More formally: we define blocks , the basic storage units used in an ORAMconstruction. A block is an area of memory (circuit register) storing a n blk -bitvalue, for a fixed parameter n blk ∈ N which depends on C ’s and S ’s architec-tures. A database (DB) of size n db ∈ N is an area of S ’s memory which storesan array ( block , . . . , block n db ) of such blocks. As we assume this databaseto reside on the server’s side, we will denote it as S . DB . Notice that the pre-cise way this array of blocks is represented in the database is unspecified, andleft to the exact implementation of the ORAM scheme taken into account.For example, in the ORAM construction we are going to analyze in detail,the server’s database S . DB stores blocks in a binary tree structure. We will .6. ORAMs S . DB ( i ) = block if block is the i -th componentof S . DB , and that block ∈ S . DB if block is stored at some position in thedatabase S . DB .Next we define data units as the basic units of data that the client wantsto access, read, or write. Formally, a data unit is an n dat -bit value for a fixedparameter n dat ≤ n blk which depends on C ’s and S ’s architectures. Everyblock encodes (usually in an encrypted form) a data unit, plus possibly aux-iliary information such as a block identifier, checksum, or hash value. Sinceevery block can encode a single data unit, at any given time t it is defineda function Data t : S . DB → { , } n dat . With abuse of notation, we will denoteby Data ( block ) the data unit encoded in the block block at a certain time t .The client C can operate on the database through data requests . Definition 3.55 (Data Request) . A data request to a database S . DB of size n db is a tuple dr = ( op , i, data ) , where op ∈ { read , write } , i ∈ { , . . . , n db } , and data ∈ { , } n dat is a data unit ( data can also be ⊥ if op = read). Finally, we define the meaning of a communication transcript during anexecution of an ORAM protocol. Since this also depends on the exact imple-mentation of the ORAM scheme, we will use the following definition.
Definition 3.56 (Communication Transcript) . A communication transcript com t at time t is the content of the communication channel Ξ at time t of theprotocol’s execution. Notice that the above defines the communication transcript as a functionof time, but since an ORAM is a multi-round interactive protocol we will justconsider com as a discrete function of the round 1 , , . . . of the protocol.We are now ready to give a definition of ORAM. We assume that a server’sdatabase is always initialized empty (usually with randomized encryptions of0 elements as blocks), and it is left up to the client the task of ‘populating’the database with appropriate write operations. Definition 3.57 (ORAM) . Let n Max ∈ N , n msg ≥ n dat ∈ N be fixed param-eters, and E = ( KGen , Enc , Dec ) be a SKES mapping n msg -bit plaintexts to n blk -bit ciphertexts. An ORAM
ORAM E with parameters ( n Max , n dat , E ) is apair of two-party interactive randomized algorithms, ( Init , Access ) , such that: • Init ( n, n db ) → ( C , S ) in the following way:1. n is the security parameter, n db ≤ n Max ;2. k ← KGen ( n ) is generated by C ;3. S includes a database S . DB = ( block , . . . , block n db ) ,where ∀ i = ⇒ block i ← Enc k (0) ; Chapter 3. QS
0: Classical Security • Access ( C , S , dr ) → ( C , S , com ) in the following way:1. C issues a data request dr ;2. C and S communicate through Ξ and produce the communication’stranscript com ; One might wonder why it is necessary to explicitly condition the defini-tion of an ORAM in respect to a symmetric-key encryption scheme E . Itis actually possible to use different primitives, such as PKES, but most ofthe known ORAM constructions work well with just a simple primitive suchas SKES. One might also wonder why the definition does not depend onother cryptographic primitives, such as PRNGs or PRFs. The reason is thatnot all ORAM constructions use such primitives, for example the ‘trivial’ORAM scheme [GO96] (which consists in just transferring the whole encrypteddatabase from S to C and back at every data request) does not use anythingelse than a SKES E as a building block. On the other hand, notice that en-cryption of the database is a minimal requirement for security, as we will see,therefore it makes sense to explicitly specify the scheme E in the notation.An ORAM must satisfy soundness and security . We are going to definesecurity in Section 4.7. Regarding soundness, the exact specification dependson the particular ORAM construction considered. A simplified, game-baseddefinition of soundness ( ‘correctness’ ) can be found in [GMP16], but it isdifficult to adapt to the model from [GKK17] which we consider here, andwhich is more aimed at studying ORAM security, while a general definition(that can be found in [GO96]) is rather involved, and goes outside the scope ofthis work. The meaning of the soundness property is that the ORAM protocol‘should work’, i.e., after any execution of Init or Access the two parties C and S must be left in such a state that allows them to continue the protocol in thenext round. Despite the generality of this statement, in the model we considerhere minimal soundness conditions can be identified, which must hold for any ORAM construction.
Definition 3.58 (Minimal ORAM Soundness Conditions) . An ORAM con-struction
ORAM E has minimal soundness if the following hold:1. for any ( n, n db ) , if ( C , S ) ← Init ( n, n db ) , then C stores the secret key k from Def. 3.57;2. for any dr = ( op , i, data ) , if ( C , S , com ) ← Access ( C , S , dr ) , then:a) if C stores the secret key k , then also C stores k ;b) if op = read and S . DB ( i ) = block , then C stores Data ( block ) ;c) if op = write and S . DB ( i ) = block , then Data ( block ) = data . .6. ORAMs S having accessto the key k or not: This is a property of security , not soundness, as we willsee in Section 4.7. An ORAM scheme ORAM can have additional soundnessconditions, depending on the particular construction. We assume that when-ever C (resp., S ) is modified during the execution of the protocol to C ’ (resp., S ’) after Access calls, all these soundness conditions (the minimal ones aboveas well as the special ones) are always satisfied. In this case, we also say that C ’ is a sound evolution of C and that S ’ is a sound evolution of S . Classical Security of ORAMs
We now look at the security model for ORAMs against classical adversariesintroduced in [GKK17]. Traditionally, the threat model in this case is definedby an honest-but-curious adversary A . This means that A is some entitywho wants to compromise C ’s privacy by having access to the communicationchannel Ξ and S ’s internal memory, but who is not allowed to modify thecontent of the channel or the database against the protocol, i.e., soundnessmust be preserved. In general, one does not lose generality by assuming that S itself is the adversary: S must behave ‘honestly’ (in the sense that he followsthe protocol, in particular related to the protocol’s soundness), but at thesame time he will use all the information he can get through the interactionwith C in order to compromise C ’s privacy. In particular, this also implies that S cannot know the key k generated during ORAM . Init , as noted above.Formally, this model is defined in terms of access patterns , which are theadversarial views during an execution of data requests in
ORAM . Access . Se-curity requires that the adversary’s view over a certain run of the protocoldoes not leak any information about the data requests executed by C , exceptthe sequences’ length. This formulation reminds of the definition of semanticsecurity for encryption schemes. As in that case, equivalent but easier-to-deal-with formulations can be given in terms of computational indistinguisha-bility of access patterns . Following the security model introduced in [GKK17],we will consider an adaptive, game-based indistinguishability notion statingthat for any two data requests, no computationally bounded adversary withknowledge of the access pattern of the client executing one of the two candistinguish which one was executed. This definition is equivalent [GKK17] tothe simulation-based notion given in [GMP16], which states that no compu-tationally bounded adversary can distinguish between the interaction with areal client or with a simulator that produces bogus transcripts.More formally: when a data request is executed, we assume that thehonest-but-curious adversary A records all the communication between C and S , plus the changes in S ’s internal status. Without loss of generality, as weassume that A and S coincide, we assume that the only meaningful changesin the database area S . DB only happen between the beginning and the endof an Access execution. The communications are polynomially bounded and,2
Chapter 3. QS
0: Classical Security for simplicity, we assume that the channel Ξ does not erase symbols, i.e., itis write-once. Hence, the adversarial view is composed of the communicationtranscript, and the server’s database before and after the execution of the datarequest. We call this adversarial view, the access pattern of the execution.
Definition 3.59 (Access Pattern) . Given ORAM client and server C and S ,and a data request dr , the access pattern ap ( dr ) is the tuple ( S . DB , com , S . DB ) ,where ( C , S , com ) ← Access ( C , S , dr ) . Next, we define formally a classical ORAM adversary . Definition 3.60 (Classical ORAM Adversary) . A classical ORAM adversary A is a PPT algorithm which is computationally indistinguishable from an hon-est server S for every ORAM client C (in particular, soundness is preserved). Notice the following fact: this definition of adversary can generally be stronger than in the usual ‘honest-but-curious’ meaning. In fact, such adver-sary could still manipulate the channel and the database in a malicious way,as long as the client C cannot detect such manipulation – in particular, thesoundness of the protocol must be preserved. We define the security of anORAM through the following indistinguishability game. Experiment 3.61 ( Game AP − IND − CQAORAM , A ) . Let
ORAM = (
Init , Access ) be anORAM construction with parameters ( n Max , n dat , E ) , n a security parameterand A a classical ORAM adverary. The computational indistinguishability ofaccess patterns game under adaptive chosen query attack Game AP − IND − CQAORAM , A proceeds as follows: Input: n ∈ N A → ( A , dr , n db ≤ n Max ) ( C , S ) ← Init ( n, n db ) loop for i = 1 , . . . , q ∈ N : . first CQA learning phase Access ( C i − , S i − , dr i ) → ( C i , S i , ap i ) A i − ( ap i , S i ) → ( A i , dr i +1 ) A q ( dr q +1 ) → ( A , dr , dr ) b $ ←− { , } Access ( C q , S q , dr b ) → ( C q +1 , S q +1 , ap q +1 ) . AP-IND challenge query A ( ap q +1 , S q +1 ) → ( A q +1 , dr q +2 ) loop for i = q + 2 , . . . , q ≥ q + 2 : . second CQA learning phase Access ( C i − , S i − , dr i ) → ( C i , S i , ap i ) A i − ( ap i , S i ) → ( A i , dr i +1 ) A q ( dr q +1 ) → b ∈ { , } if b = b then Output: else Output: .6. ORAMs The advantage of A is defined as: Adv AP − IND − CQAORAM , A := Pr h Game AP − IND − CQAORAM , A → i − . In this game the adversary, after selecting suitable ORAM parameters ofhis choice, is first allowed to see the access patterns originated by executionsof
Access for data requests of his choice, chosen adaptively one after the other(this is called ‘first CQA learning phase’.) At some point, the adversary issuesa challenge query composed of two (w.l.o.g. different) data requests. One ofthe two is selected at random and executed through
Access , and the adversary,after being allowed a second CQA learning phase, must guess which one ofthe two was executed. Notice that, since A is polynomially bounded, q and q are at most polynomials in n . We are now ready to define the classicalsecurity notion for ORAMs. Definition 3.62 (Access Pattern Indistinguishability Under Adaptive Cho-sen Query Attack) . An ORAM construction
ORAM has computationally in-distinguishable access patterns under adaptive chosen query attack (or, it isAP-IND-CQA-secure) iff for any classical ORAM adversary A it holds that Adv AP − IND − CQAORAM , A ≤ negl . PathORAM
As an example of ORAM construction, we recall here PathORAM, one of themost efficient ORAM constructions proposed to date, introduced by Stefanovet al. in [SvDS + + n db blocks of bit size n blk on a server, in abinary tree structure of height n tree = d log n db e . Each node of the tree canstore a constant amount n bkt of blocks. Every block encodes (in an encryptedform, using an IND-CPA SKES) a data unit of bit size n dat , and optionallyadditional information which is used to label the block for efficient retrieval.There are many different ways one can implement this labeling of the blocks.In our case we will use the simple approach of concatenating to the dataunit data an n tag -bit string encoding the block identifier i ∈ { , . . . , n db } ,that is, blocks are of the form block i ← Enc k ( i k data i ). This system is verygeneral, and as we will see it has the advantage that it easily translates to thequantum setting, unlike other approaches such as identifying blocks by usinga hash table. At the beginning, all the blocks in the tree are initialized in an‘empty’ state, which is defined by setting to 0 the identifying label – recallin fact that valid block identifiers are 1 , . . . , n db only. Every block is mapped4 Chapter 3. QS
0: Classical Security to a leaf of the tree, and this mapping is recorded in a correspondence table,called position map , by the client .A read (or write) operation for a block block i is performed by the client,by downloading the path (tree branch) from the root of the tree to the leafindicated in the client’s position map, and randomly remapping block i toanother leaf in the position map. Then the client decrypts and re-encrypts(re-randomizing) all the blocks in the downloaded path, and for every valid(non-empty) block block j found, the client checks its corresponding leaf inthe position map, and moves block j (if there is enough available space) tothe node in the path which is closest to the leaf level and that belongs both tothe downloaded path and the path to the leaf of block j given by the positionmap. If a block does not fit anywhere in the downloaded path, then an extrastorage, called ‘stash’ is used by the client to store this overflowing blocklocally. The blocks found in the stash are also examined during every read (orwrite) operation and checked if they can be evicted from the stash and placedin the tree. Since the stash must be stored locally by the client, the stash’ssize should be reasonably small; in fact, in [SvDS + O (log n db ) is negligible in thenumber of queries. The intuition is to notice that the stash is only used if thetree root is full, but the average action of a data request is to push only block i toward the tree root, and push many other blocks block j toward the leaf level.In the following we will mostly ignore the use of the stash for simplicity.More concretely, we give here a full description of PathORAM (which wedenote as PathORAM ) according to the formalism introduced.
Construction 3.63 ( PathORAM [GKK17, Definition 18]) . For fixed parameters n dat , n Max ∈ N , let n tag = d log n Max e , n bkt ∈ N , n msg = n dat + n tag , n blk ≥ n msg .Let G be a PRNG outputting n tag -bit values, and E = ( KGen , Enc , Dec ) be aSKES with n msg -bit plaintexts and n blk -bit ciphertexts. We define an ORAMconstruction called PathORAM = PathORAM E , G as follows: • Init ( n, n db ) → ( C , S ) in the following way: C generates a secret key k ← KGen set n tree := d log n db e . notice n tree ≤ n tag C initializes a position map of the form ((1 , r ) , . . . , ( n db , r n db )) , where r i are n tree -bit values generated by truncating bits from G ’s output S . DB is stored in a binary tree of height n tree , with root Root andleaves
Leaf , . . . , Leaf n tree − , and such that:1. each node of the tree stores up to n bkt blocks;2. every block of every node is initialized to Enc k (0 n tag k n dat ) . Note that the size of the position map is linear in the number of blocks that the clienthas, and thus cannot be stored locally by the client. The authors of [SvDS +
13] proposestoring the position map recursively to smaller PathORAMs following an idea from [SSS12].For ease of exposition however, we will assume here that the position map is stored locally. .6. ORAMs • If dr = ( op , i, data ) , then Access ( C , S , dr ) → ( C , S , com ) as follows: C reads r i from his position map and sends it to S S sends to C the path Branch from
Root to Leaf r i remap ( i, r i ) to ( i, r i ) in the position map of C , where r i is a freshpseudorandom n tree -bit value (generated by truncating the first n tag − n tree bits of G ’s output), obtaining C for all block contained in Branch do C decrypts Dec k ( block ) → ( j k data j ) ∈ { , } n msg ,where j ∈ { , } n tag , data j ∈ { , } n dat if j = i then if op = ‘read’ then C reads data j . C now has access to data j else if op = ‘write’ then C sets data j = data . block is updated C re-encrypts (re-randomizing) block find in Branch the common parent node
Node between
Leaf r i and Leaf r j , closer to the leaf level set b swap := ‘false’ for all block in Node do C decrypts Dec k ( block ) → ( j k data j ) ∈ { , } n msg C re-encrypts (re-randomizing) block ← Enc k ( j k data j ) if j = 0 . . . then . block is empty, can be used swap block and block set b swap := ‘true’ if b swap = ‘false’ then . no empty blocks in current Node if Node = Root then set
Node to be one level up in the tree (i.e.,
Node ’s parent) go to step 14 else store block in the
Stash . no empty blocks found C sends back the updated tree branch, NewBranch , to S update S . DB with NewBranch , obtaining S produce com , which contains r i , Branch , NewBranch
In the above, we recap the meaning of the parameters as follows: • n is the security parameter, used by the encryption scheme E . • n Max is the maximum number of blocks that the server’s architechturecan support (an upper bound to S ’s tree storage). • n db is the maximum number of ‘real’ blocks that the client C wants tostore (so, n db ≤ n Max ). Unlike n Max thus, n db can be chosen by theadversary in the security game.6 Chapter 3. QS
0: Classical Security • n tag is the minimum number of bits that are needed to index all the‘real’ blocks in the limit scenario where n db = n Max . Hence, n tag is alsoarchitecture-dependant, and not chosen by A . • n bkt is the maximum number of blocks that can be stored in every treenode. Lower values reduce the amount of memory used by S to storethe tree (for a fixed n db ), but increase the risk of using large amounts ofmemory by the client for the stash. This is a parameter of the particular PathORAM implementation: as we do not care about performance analysishere, we will leave n bkt undefined, as any nonzero value works for us. • n tree is the minimum number of bits that are needed to index all the‘real’ n db blocks (hence, n tree ≤ n tag ). n tree also represents the minimumheight of the tree necessary to store all blocks in the limit case n bkt = 1. • n dat is the bit size of the data units used in the PathORAM implementa-tion, and it is hence architecture-dependant. • n msg is the total bit size of a data unit, plus the number of bits necessaryto address the block where this data unit is encoded, so also this value isarchitecture-dependant. The encryption scheme E must be able to workwith n msg -bit plaintexts. • n blk is the size of a ciphertext produced by the encryption scheme E , andhence the total size of a block. The size of S ’s tree storage memory isthus at most n blk n Max bits.We now show the (classical) security of
PathORAM . Theorem 3.64 (AP-IND-CQA Security of
PathORAM ) . Let E = ( KGen , Enc , Dec ) be an IND-CPA SKES, and let G be a PRNG. Then, PathORAM instantiatedusing E and G is an AP-IND-CPA secure ORAM.Proof. By assumption, the outputs of G are indistinguishable from random.Therefore, in the following analysis, we can w.l.o.g. replace G with a realsource of randomness.Suppose that there exists an adversary A and a non-negligible ‘ , such that:Pr h Game AP − IND − CQA
PathORAM , A = 1 i = 12 + ‘. We will use A in a black-box way to construct a PPT algorithm able tobreak the IND-CPA security of E , against the assumption. The idea is to buildan algorithm D which simulates a PathORAM client C , playing the AP-IND-CQA game against A (w.l.o.g., we assume that A itself simulates the server S , otherwise S can be also simulated by D ). Throughout the game, D alsostores a copy of the server’s database S . DB , in plaintext. This is allowed, as .6. ORAMs S . DB is of size linear in n db , and D is only simulating C , so he is not limitedby the storage constraints usually assumed in a normal ORAM client. Then D will use the interaction with A to win the IND-CPA game for scheme E .More in detail: first, D executes A . Then A starts Game AP − IND − CQA
PathORAM , A bychoosing n and n db , and D simulates a PathORAM client C created during Init , byinitializing his own position map (populated with random values), but without generating a secret encryption key. Furthermore, D creates a tree memorystructure of height n tree , with leaves indexed 0 , . . . , n tree −
1, where every nodestores n bkt plaintexts of bit size n msg , which are initialized to (0 n tag k n dat ) (theparameters are the same as in Construction 3.63). This structure will be usedby D to ‘mirror’ S . DB in cleartext throughout the execution of PathORAM . D now starts Game
IND − CPA E , D , obtaining oracle access to Enc k for an unknownsecret key k , and choosing as security parameter the same n chosen by A . Atthis point, notice that D is able to perfectly simulate a valid client C havingaccess to the key k , in the following way: • whenever C downloads a branch of S . DB identified by leaf r by calling Access , D does the same (although the blocks in such downloaded branchwill be ignored, as we will see); • whenever C decrypts a certain block in a downloaded branch, D simulatesthe decryption oracle Dec k by fetching the plaintext ( i k data ) found atthe corresponding position in the ‘mirrored’ tree; • whenever C swaps two blocks in a downloaded branch, D swaps the twoplaintexts found at the corresponding positions in the ‘mirrored’ tree; • whenever C encrypts a plaintext ( i k data ) to obtain a new encryptedblock, D does so by using the encryption oracle Enc k obtained from theIND-CPA game; • whenever C updates his position map, or uploads an updated branch to S . DB , D does the same.Given the above, it is clear that now whenever A asks for the execution ofa data request dr , D is able to simulate the correct communication transcript com and a correctly formed updated branch NewBranch . Therefore, for everydata request performed during the first CQA phase, A always receives thecorrect access pattern.Eventually, at the challenge step A produces two data requests dr , dr , andrequests the execution of one of them. For a ∈ { , } , let dr a = ( op a , i a , data a )be the two data requests and let m a ∈ { , } n msg be formed as follows: • if op a = ‘write’, then set m a = ( i a k data a ); • else, set m a = ( i a k data i a ), where data i a is retrieved by looking for iden-tifier i a in the mirrored tree.8 Chapter 3. QS
0: Classical Security
Now, it could happen that m = m . For example, it might be that the twodata requests are of the form (‘write’ , i, data ) and (‘read’ , i, data ) respectively,but block i already encodes data . If this happens we say that the challengequery is non-meaningful . It is easy to see that two data requests from a non-meaningful challenge query will produce the same statistical distributions ofcommunication transcripts and updated paths, because their effect on thedatabase is equivalent. Therefore, since A distinguishes the two resultingaccess patterns with non-negligible probability by assumption, it is clear thatthe challenge query must be meaningful , i.e., m = m .At this point D executes the challenge IND query using m , m as plain-texts, and receiving back an encryption c ← Enc k ( m b ) for a secret bit b . D will also generate a random bit b ∗ $ ←− { , } (a ‘guess’), and will answer A ’schallenge query by simulating the execution of dr b ∗ as in the CQA phase, butinjecting c as an updated block with identifier i b ∗ during the execution of dr b ∗ .Then D keeps simulating C during the second CQA phase as before, and waitsuntil A outputs a bit ˆ b . Finally: if ˆ b = b ∗ , then D outputs b ∗ in the IND-CPAgame, otherwise D outputs a new random bit.Now, notice the following. In the case that D ’s guess was correct, i.e., b = b ∗ , it means that c was the right ciphertext at the right place, so that A has received a correctly formed access pattern. This means that A correctlyguesses ˆ b = b ∗ with probability at least + ‘ , by assumption. In that case,also D wins, so: Pr h Game
IND − CPA E , D = 1 (cid:12)(cid:12)(cid:12) b = b ∗ i ≥
12 + ‘. (3.1)On the other hand, if b = b ∗ we cannot say anything on A ’s success probability,because now A has a malformed access pattern. But we can say that, even if A fails, D still succeeds with probability .Pr h Game
IND − CPA E , D = 1 (cid:12)(cid:12)(cid:12) b = b ∗ i ≥ . (3.2)Thus, combining 3.1 and 3.2, the reduction’s overall success probability is:Pr h Game
IND − CPA E , D = 1 i ≥
12 + ‘ , which concludes the proof. Notice how this is not true anymore if the values in the position map are not totallyrandom. Therefore, this step fails if the PRNG used is not secure. hapter QS1: Post-Quantum Security
The next step in our analysis of quantum security notions is to consider whathappens to classical encryption primitives when the adversaries have accessto a quantum computing device. In this scenario, the cryptographic objectswe are studying are still classical, as in the security class QS
0. However,since many constructions in QS post-quantum cryptography . That is, post-quantumcryptography is about the security of classical primitives after (hence ‘post-’)quantum computing becomes available . The security class which we denoteby QS how do we model post-quantum security exactly? In the scientificcommunity there has not always been mutual agreement on this. For example,one of the questions which most often cryptographers ask is: “When shouldone consider classical access to a function for a quantum adversary, and whenshould one consider quantum access instead?” . As we will see, the answerto this question is: “Whenever the security model implies that the adversarycomputes the function on his local device, then quantum access should be used.”
We call this principle the QS .In this chapter we will discuss in detail the QS Admittedly, this naming is a bit misleading, because it might be meant as ‘cryptographyresistant against the more advanced model of computation which will conceivably come afterquantum computing’ . We do not want to argue here about the term ‘post-quantum’, whichhas become commonly accepted in the literature.
Chapter 4. QS1: Post-Quantum Security
My Scientific Contribution in this Chapter
Theorem 4.10 is commonly considered folklore, but to the best of my knowl-edge the first fully formal proof appears in [ABF + Post-quantum security constructions are usually obtained by replacing someunderlying hardness assumption with a different, quantum-hard assumption,and then repeating the construction process (i.e., the security proof) leadingto the realization of a secure primitive as in QS
0. For example, when design-ing a post-quantum signature scheme, a natural option would be to consider asignature scheme in QS learning with errors (LWE) or shortestvector problem (SVP) . Alternatively, one could simply try to design a sig-nature scheme from scratch by relying on a new security proof reducing thesecurity of the scheme to the quantum hardness of one of the aforementionedmathematical problems. Traditionally, schemes produced by such approachesare labeled ‘post-quantum’. However, this labeling is sometimes inappropriate.The goal of this section is to give an overview of the many things that could gowrong when adopting too blindly the procedure described above, and to ex-plain why one should take a more careful approach when defining meaningfulnotions of post-quantum security. Proof Failures
The general issue when designing post-quantum primitives is that the classicalsecurity proofs might fail quantumly, even when only relying on quantum-hardassumptions. Common reasons for this are (but not limited to) the following. • No-Cloning: when the security proof works by using the same value orelement for two different purposes, care must be taken in making sure .1. Issues in Post-Quantum Security • Memory Snapshots: as a consequence of the previous point, problemsmay arise when the security proof requires recording a ‘snapshot’ of analgorithm, or adversary, in order to execute it on different instances, orto analyze some internal area of memory. As the adversary is now aquantum machine, this cannot usually be done. • Rewinding: analogously, proofs that use rewinding are notoriouslyhard to translate to the quantum setting. Limited positive results havebeen achieved in this respect in the existing literature [ARU14, Wat06]. • Quantum Queries: if the security proof requires ‘counting the numberof queries’ to a certain oracle, it will probably fail when the oracle isreplaced by a quantum oracle. The reason is that a quantum oracle can,in some sense, be queried over all the domain elements at once. • Lookup Tables: analogously, if the proof requires storing a transcriptof a protocol execution, including the query calls to some oracle, and ifthe oracle is quantum, problems may arise. • Measurements: conditional procedures such as “if the value of x is y , then do...” are often an issue in the context of analyzing quantumstates, because the information in the state is usually destroyed in themeasurement process. This is particularly problematic when analyzingthe values of queries to quantum oracles, or when comparing those valuesto those contained in some set.Unfortunately, there is no general recipe to solve all of the above prob-lems, and much of the existing literature erroneously advertises cryptographicconstructions as ‘post-quantum’ just because they are based on quantum-hardproblems, without addressing the previous issues. We strongly argue againstthe use of the term ‘post-quantum’ when describing the security of such con-structions. Regardless, over the last few years many important tools havebeen developed in order to deal with these problems. Quantum-Classical Oracles
The first important concept to define is what happens when an oracle O (cid:102) computing a classical function (cid:102) : X → Y is invoked by a quantum algorithm.Two possible scenarios arise, depending on the interaction , or access mode , ofthe algorithm to the oracle:2
Chapter 4. QS1: Post-Quantum Security
1. the interaction is classical; in this case, the oracle is still a classical objectwhich can be queried on classical inputs x ∈ X and returning outputs y ∈ Y ; or2. the interaction is quantum; in this case the classical oracle O (cid:102) must bereplaced by a quantum-classical oracle (which we denote by |O (cid:102) i ).A quantum-classical oracle can be queried on a quantum superposition ofclassical input values , usually of the form: X x ∈X ,y ∈Y a x,y | x, y i , where X x,y | a x,y | = 1 , and it returns a quantum state encoding somehow the evaluation of (cid:102) on theinputs in the superposition query. The exact form of the input and outputstates can vary, and it depends on the type of quantum access considered, asmentioned in Section 2.4. However, for most applications, and unless differ-ently specified, we will denote by |O (cid:102) i the unitary operator acting as follows. Definition 4.1 (Canonical Quantum-Classical Oracle) . Let X , Y be sets, and (cid:102) : X → Y . The (canonical) quantum-classical oracle for (cid:102) , denoted by |O (cid:102) i ,is a unitary operator on H X ⊗Y , defined by: |O (cid:102) i : | x, y i 7→ | x, y ⊕ (cid:102) ( x ) i . When not necessary to specify otherwise, in order to simplify notation weassume the ancilla register to be initialized with | i , so that: |O (cid:102) i : X x ∈X a x | x, i 7→ X x ∈X a x | x, (cid:102) ( x ) i , where X x | a x | = 1 . One important question regards quantum-classical oracles for randomizedfunctions. For instance, if (cid:102) is a randomized function, we can explicit thedependence from the randomness r (sampled from some appropriate distribu-tion R ) by writing: y := (cid:102) ( x ; r ). Then the question is: when considering |O (cid:102) i ,should we consider superpositions of evaluations using the same, fixed ran-domness r , or should we consider evaluations where a fresh new randomness r is sampled for every element in the superposition? In other words, shouldwe consider: |O (cid:102) i : X x ∈X a x | x, i 7→ X x ∈X a x | x, (cid:102) ( x ; r ) i , where r ← R , or should we consider the following instead? |O (cid:102) i : X x ∈X ,r ←R a x,r | x, i 7→ X x ∈X ,r ←R a x,r | x, (cid:102) ( x ; r ) i . .1. Issues in Post-Quantum Security r from R , and then applying a quantum-secure PRF (de-scribed in Section 5.2) to generate independent pseudorandom values for everycomponent of the superposition query. Because of the security properties ofsuch PRF, the result would look the same to any QPT adversary.
Quantum Reductions
Another thing to discuss is the meaning of quantum reductions . As in theclassical case, a quantum reduction B from (the security of) a scheme Σ to(the security of) a primitive, or (the hardness of) a problem Π, is an efficientalgorithmic procedure which uses an hypothetical adversary A against Σ toattack Π. The existence of a reduction shows that: if an efficient adversaryagainst Σ exists, then an efficient algorithm breaking Π’s security must alsoexist. In this work we only consider black-box reductions, that is, reductionswhich do not have access to A ’s or Σ’s internal code/circuit, but are onlyallowed to use the interactions between these components to attack Π.Let us consider different possible scenarios in the quantum world. Thefollowing is a classification of possible (post-)quantum security reductions.1. A is classical but B is quantum. In this case, B is a QPT algorithmusing A as a (classical) subroutine. These kind of reductions offer theweakest form of security guarantees because they basically say: “if a classical adversary against Σ exists, then a quantum algorithm breakingΠ’s security exists”. They do not say anything about the possibility thata quantum adversary against Σ might exist, so they are not really usefulin our QS weak quantum reductions .2. A is quantum and B is quantum. This is the most common scenario.These reductions say: “if a quantum adversary against Σ exists, thena quantum algorithm breaking Π’s security exists”. In particular, thisrules out classical adversaries against Σ, but the existence of any of theseadversaries would not necessarily imply a classical algorithm against Π,only a quantum one. We call these (standard) quantum reductions .3. A is quantum but B is classical. These reductions offer the strongestsecurity guarantees, because they say: “if a quantum adversary against Σexists, then a classical algorithm breaking Π’s security exists, with onlyblack-box access to the adversary”. Not only this rules out quantumand classical adversaries alike, but it also implies that the post-quantumsecurity of Σ can rely just on the post-quantum security of Π, so that inparticular one does need to worry about oracle access modes. We callthese semi-classical reductions .4 Chapter 4. QS1: Post-Quantum Security
Finally, it should be discussed what ‘black-box’ in the quantum settingmeans. Classically, this means that B is allowed to interact with A withoutaccessing A ’s internal code or state. In other words, B can only act on A ’sinputs, outputs, and oracle queries. Furthermore, in cryptographic reductions,one usually has to make sure that B ’s action is computationally undetectablefor A , which means that the probability that A ’s output is affected by thisaction is negligible. This is important, for example, in the case that B injectsor reads values inside A ’s queries to an oracle.In the quantum setting, we adopt the same principle: B can tamper with A ’s inputs, outputs, and queries, as long as A ’s behaviour is only negligiblyaffected. So, for example, B could measure (fully or partially) A ’s queries tosome quantum oracle, and even modify the queries and reprogram the oracle,as long as it can be proven that this action does not disturb A ’s workingbehaviour too much.However, one could also take a stricter approach. Since measuring un-known quantum states might destroy the information therein, we could alsoconsider quantum reductions that do not measure external quantum states atall , and only rely on the classical interactions with A (or other oracles) in-stead. For example, in the case of quantum oracle queries, such reductionswould ignore those queries, and only interact classically with the (quantum)adversary. Clearly, these ‘careful’ reductions are quite powerful, because theywork even when ignoring some potential source of information (the quantumqueries). They basically say: “if a quantum adversary against Σ exists, then a quantum algorithm breaking Π’s security exists, by using only classical access to some external quantum resources”. These kind of reductions are placedsomewhere between points 2 and 3 of the above hierarchy, and we call them strong quantum reductions . One archetypical example of where the QS Quantum Random Oracle Model (QROM) . Recall that, in QS
0, the RandomOracle Model (ROM) is a computation model where all parties have access toan oracle O (cid:104) computing a function (cid:104) picked uniformly at random from the setof all functions from some domain X to some range Y . This model is usefulwhen analyzing the security of schemes employing PRFs or hash functions. Inother words, the (truly) random function (cid:104) is just an abstraction, or a model,for a real-world function (cid:103) which we assume behaving like a random function.But this also means that the random oracle O (cid:104) itself is an abstract modelfor the computation of the real-world, algorithmic function (cid:103) , performed onsome computer. And since the code for (cid:103) is public, and can be run by any-one (after all, in the ROM the access to O (cid:104) is given to every participant inthe scheme because of this reason), it is necessary to assume that a quantum .2. The Quantum Random Oracle Model (cid:103) on his quantum com-puter, therefore being able to query (cid:103) quantumly. Therefore, in the QuantumRandom Oracle Model (QROM) , the random oracle O (cid:104) must be replaced by a quantum random oracle |O (cid:104) i . It is important to stress the fact that there existmodels where security is proven in the random oracle model against quantumadversaries. We strongly argue against the use of the term ‘post-quantum’when referring to those models.So, in other words, in QS must be replaced by the QROM,where every QPT algorithm has access to a quantum oracle: |O (cid:104) i : | x, y i 7→ | x, y ⊕ (cid:104) ( x ) i . and where (cid:104) is chosen uniformly at random from the set of all functions from X to Y , as in the random oracle model. QROM Emulation
Notice the following difficulty when defining the QROM operationally. Classi-cally, as explained in Section 2.3, during a cryptographic reduction a randomoracle is emulated by a
PPT algorithm, for example through lazy sampling.But lazy sampling cannot work for quantum random oracles, for two reasons.First of all, a single quantum query to |O (cid:104) i could require the emulator tolazy-sample too many elements. E.g., a query of the form: X x ∈{ , } n √ n | x, i would query all the exponentially-many input values at once, and so it would‘force’ the emulator to ‘fix’ all those values at the same time. This is notcompatible with what we require from an efficient cryptographic reduction.The second problem is that the concept of lookup table, used in the clas-sical ROM to answer consistently with the previous queries, becomes mean-ingless. Firstly because such table could quickly reach exponential size, asthe previous query example shows; and secondly because, as discussed in Sec-tion 4.1, there might be no way to check whether the values of some query arein the table or not without destroying the query.Luckily, there exist a few other techniques to solve the above issues andto make the QROM a meaningful tool in QS
1. If the number of queriesperformed by the adversary to the QRO is known a priori, then the QROcan be efficiently emulated by d -wise independent functions . These are fami-lies of functions that are statistically indistinguishable from random functionsif queried (classically) no more than d times. An example are polynomialfunctions of degree d −
1. It is known [Zha12b] that no quantum algorithmperforming at most q queries can distinguish between random oracles anddistributions of 2 q -wise independent functions.6 Chapter 4. QS1: Post-Quantum Security
Another common technique is to emulate a RO with a PRF, which is usefulif one does not know a priori an upper bound to the number of adversarialqueries. In the QROM we need something analogous, but classical PRFsalone cannot work. One idea might be to use post-quantum PRFs (we willdefine them in the next section), but actually for emulating a QRO, classicalaccess to the PRF is not enough, so we need something more: quantum-secure(superposition-secure) PRFs will be defined in the next chapter.
QROM Reprogramming
It is important to analyze what happens when reprogramming a quantunrandom oracle |O (cid:104) i . In particular, a useful technique often consists in injecting some fixed value y for a subset S ⊂ X of possible input query values, so that (cid:104) ( x ) := y for all x ∈ S . Intuitively, if the set S is ‘very small’, it is going tobe very hard for a quantum algorithm to distinguish the modified oracle froma true QRO. However, some proofs might rely explicitly on the probabilityof the adversary querying one of those values, so it is important to have adetailed quantitative analysis for these probabilities.We start by recalling [Zha12a] a tool known as semi-constant distributions . Definition 4.2 (Semi-Constant Distributions) . Let H := { (cid:104) : X → Y} be thefamily of functions between sets X and Y , and let δ ∈ [0 , . We define the δ -fraction semi-constant distribution U δ as the distribution over H resultingfrom the following procedure: sample y $ ←− Y for all x ∈ X do p $ ←− [0 , if p ≤ δ then define (cid:104) ( x ) := y else sample y $ ←− Y define (cid:104) ( x ) := y Return: (cid:104)
Notice that U is the uniform distribution, while U is a constant distribu-tion. Also note that the distribution, when used within an oracle, is consistentin the sense that the settings are chosen once at the outset. We will use thisdefinition to describe a QRO which has been ‘reprogrammed’ on a fraction δ of its possible inputs. The following lemma [Zha12b] gives an upper bound onthe probability that a quantum algorithm’s behavior changes when switchingfrom a truly QRO to a quantum oracle for a function drawn from U δ in termsof statistical distance. Lemma 4.3 ([Zha12b, Corollary 4.3]) . Let A |O (cid:104) i be a QPT algorithm makingat most q h queries to the quantum random oracle |O (cid:104) i . Let δ ∈ (0 , and .3. Post-Quantum Assumptions, Building Blocks let |O δ (cid:104) i be the classical-quantum oracle obtained by reprogramming O (cid:104) on afraction δ of its possible inputs, i.e., |O δ (cid:104) i is described by the semi-constantdistribution U δ . Then, the following holds: (cid:12)(cid:12)(cid:12) A |O (cid:104) i − A |O δ (cid:104) i (cid:12)(cid:12)(cid:12) ≤ · q h · δ . The above lemma is quite general, because it does not take into account thespecific values where the reprogramming happens, but just a generic fraction δ of all possible values. Therefore, it is especially useful in those cases wherethe quantum random oracle is reprogrammed randomly, i.e., by just replacingsome of its values with a certain probability δ . However, in all those caseswhere it is possible to track the specific amplitudes (across the oracle queries)of the elements to be reprogrammed, then one can usually find better bounds,for example by using Lemma 2.11. In this section we redefine the basic assumptions and building blocks for thepost-quantum setting.
Post-Quantum OWFs
As in the QS post-quantum one-way functions (pqOWF) is a basic security assumptions. Because a OWF’s code is public, and recallingthe QS ‘for all’ PPT algorithms, without mentioningoracle access, it is enough to define post-quantum OWFs by just replacing
PPT adversaries with
QPT adversaries.
Definition 4.4 (Post-Quantum One-Way Functions (pqOWF) and Permuta-tions (pqOWP)) . Let F = ( F n ) n be a DPT algorithm, with F n : X n → { , } ∗ . F is a (family of) post-quantum one-way functions (pqOWF) iff for any QPT algorithm A it holds: Pr x $ ←− X (cid:2) A ( F ( x )) → x : F ( x ) = F ( x ) (cid:3) ≤ negl . Moreover, in the special case where F n : X n → X n are permutations on X n forevery n , F is a (family of) post-quantum one-way permutations (OWP) . The definition of post-quantum hard-core predicates is as in the QS Chapter 4. QS1: Post-Quantum Security
Definition 4.5 (Post-Quantum Hard-Core Predicate) . Let F : X → Y be aOWF. A polynomial-time computable function hc F : X → { , } is a post-quantum hard-core predicate of F iff, for any QPT algorithm A it holds: Pr x $ ←− X [ A ( F ( x )) → hc F ( x )] ≤
12 + negl . Proposition 4.6.
Let F be a pqOWF (resp., pqOWP). Then it is possible toefficiently transform F into a pqOWF (resp., pqOWP) H such that at leastone post-quantum hard-core predicate hc H exists. Given the above, from now on for simplicity we assume that every pqOWFadmits post-quantum hard-core predicates. In the case that F : X → X (inparticular, if F is a pqOWP), the construction of hard-core bits can be iteratedas in Proposition 2.5. Post-Quantum OWTPs
The same discussion in the case of post-quantum OWFs applies for the as-sumption of the existence of post-quantum one-way trapdoor permutations(pqOWTP) . As usual, we express a family of pqOWTPs as indexed throughefficiently sampleable index family I and associated trapdoor space T . Definition 4.7 (Post-Quantum One-Way Trapdoor Permutation (pqOWTP)) . A (family of) post-quantum one-way trapdoor permutations (pqOWTP) is atuple ( Gen , Eval , Invert ) of PPT algorithms:1.
Gen : → I × T ;2. Eval : I × X → X ;3.
Invert : I × T × X → X ∪ {⊥} ,and such that:1. for any
QPT algorithm A it holds: Pr x $ ←− X ( i,t ) ← Gen [ A ( i, Eval ( i, x )) → x ] ≤ negl ; and2. Invert ( i, t, y ) = Eval ( i, x ) , ∀ x ∈ X , ∀ ( i, t ) ← Gen , ∀ y ← Eval ( i, x ) . As in the QS Proposition 4.8 (pqOWTP = ⇒ pqOWP = ⇒ pqOWF) . Let P :=( Gen , Eval , Invert ) be a pqOWTP on X . Then, for all but a negligible frac-tion of possible sequences (( i n , t n )) n of outputs of Gen ( n ) = ⇒ Eval ( i n , . ) is apqOWP (and hence a pqOWF) on X . .3. Post-Quantum Assumptions, Building Blocks Post-Quantum PRNGs
Again, the same principle from OWF and OWTP applies when translatingPRNGs to the post-quantum setting. Remember that the security propertyfor PRNGs does not mention any kind of oracle access or code emulation, butit just says that no efficient adversaries, by looking at the stream of (classical)values output by the PRNG, can distinguish such stream from a randomstream. So, the interaction is still classical, and the only change is that theadversary is now a quantum algorithm.
Definition 4.9 (Post-Quantum PRNG (pqPRNG)) . Let (cid:112) be a polynomialsuch that (cid:112) ( n ) ≥ n + 1 , ∀ n ∈ N . A post-quantum pseudorandom numbergenerator (pqPRNG) with expansion factor (cid:112) is a DPT algorithm G such that:1. given as input a bit string s ∈ { , } n , (the seed ), outputs a bit string G ( s ) ∈ (cid:112) ( n ) ; and2. for any QPT algorithm D : | Pr [ D ( r ) → − Pr [ D ( G ( s )) → | ≤ negl , where r $ ←− { , } (cid:112) ( n ) , s $ ←− { , } n , and the probabilities are taken overthe choice of r and s , and the randomness of D . Moreover, as noticed in Section 3.1, the proof of Theorem 3.3 still goesthrough in the post-quantum scenario, because it does not make any assump-tion on the query capabilities of the adversary.
Theorem 4.10 ([ABF +
16, Lemma 19]) . If F is a pqOWF, then G F (definedas in Construction 3.2) is a pqPRNG. Corollary 4.11 (pqOWF ⇔ pqPRNG) . pqOWFs exist iff pqPRNGs exist. Clearly, a pqPRNG it is also a PRNG. However, the opposite is not be-lieved to hold, as the following example shows.
Lemma 4.12.
Under the DLP hardness assumption, there exists a PRNG G BM which is quantumly predictable . I.e., there exists a non-negligible func-tion δ and a QPT algorithm D which, on input n sequential values output by G BM on any random seed, predicts the ( n + 1) -th value output by G BM withprobability at least δ ( n ) .Proof. A counterexample G BM is the modular exponentiation Blum-Micaligenerator [KL07], but many other similar variants work as well [GdAJ13].This construction is based on exponentiation of a public generator g modulo apublic large prime p , and it is a classically secure PRNG under the assumptionthat computing discrete logarithms is computationally hard. More specifically,0 Chapter 4. QS1: Post-Quantum Security if s i is the current state of the generator, one output bit is computed as a hard-core predicate of the value s i +1 = g s i mod p (where s i +1 becomes the nextstate of the generator). Thus, starting from a secret seed s , a pseudorandombit string can be generated by applying iteratively the procedure.However, there exists a quantum attack [GdAJ13] (based on variantsof both Shor’s and Grover’s algorithms) which, given p, g and a sequence( r , . . . , r n ) of values output by G BM , can recover the initial state s withprobability δ non-negligible in n . This, in turns, allows to predict the wholesequence of G BM . Post-Quantum PRFs
The case of pseudorandom functions, instead, is a bit different. Definition 3.5specifically conditions the existence of (classical) PRFs to the query capa-bilities of the adversary, so we should make a distinction whether, in thepost-quantum case, these queries should still be classical or not.The QS “normally, no, because he does not knowthe secret key” . After all, the whole point of a PRF is that the adversaryshould not be able to distinguish the output of the PRF from the output of an(abstractly defined) completely random function, which in particular meansthat the adversary should not be able to see the PRF’s code, because theremight be no code at all . This is in striking contrast with the QROM, andthe reason is that a QRO models a public hash function , which everybody cancompute, while a PRF exists as long as the key remains secret .In other words, post-quantum pseudorandom functions (pqPRFs) are de-fined by merely replacing the PPT adversary with a
QPT adversary, andkeeping the oracle access classical.
Quantum-secure PRFs instead, as definedin [BDF +
11, Zha12a], are a different object, and they will be presented in thenext chapter in the context of the domain QS Definition 4.13 (Post-Quantum Pseudorandom Function (pqPRF)) . A (fam-ily of) post-quantum pseudorandom functions (pqPRF) from X to Y with keyspace K is a DPT algorithm F : ( k ∈ K , x ∈ X ) y ∈ Y such that for any QPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D F k → i − Pr (cid:104) $ ←− Y X h D O (cid:104) → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where O (cid:104) is an oracle for (cid:104) (i.e., a random oracle), and the probabilities areover the choice of k and (cid:104) , and the randomness of D . Moreover, the same proofs for Theorems 3.6 and 3.7 go through unchanged,because we are not modifying the oracle access mode, but just the adversarycomputation model. As a consequence, we can state the following. .3. Post-Quantum Assumptions, Building Blocks Theorem 4.14 (pqPRF ⇔ pqPRNG) . pqPRFs exist iff pqPRNGs exist. Corollary 4.15. pqOWF exist iff pqPRF exist.
Post-Quantum PRPs
The case of post-quantum PRPs is analogous to the one for pqPRFs.
Definition 4.16 (Post-Quantum Weak PRP (pqWPRP)) . A (family of) post-quantum weak pseudorandom permutations (pqWPRP) on X with key space K is a pair of DPT algorithms ( P , P − ) : ( k ∈ K , x ∈ X ) x ∈ X such that:1. ∀ k ∈ K = ⇒ P k , P − k are permutations on X ;2. ∀ k ∈ K = ⇒ ( P k ) − = P − k ; and3. for any QPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D P k → i − Pr (cid:112) $ ←− S ( X ) h D O (cid:112) → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where O (cid:112) is an oracle for (cid:112) , and the probabilities are over the choice of k and (cid:112) , and the randomness of D . Definition 4.17 (Post-Quantum Strong PRP (pqSPRP)) . A (family of) post-quantum strong pseudorandom permutations (pqSPRP) on X with key space K is a pair of DPT algorithms ( P , P − ) : ( k ∈ K , x ∈ X ) x ∈ X such that:1. ∀ k ∈ K = ⇒ P k , P − k are permutations on X ;2. ∀ k ∈ K = ⇒ ( P k ) − = P − k ; and3. for any QPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D P k , P − k → i − Pr (cid:112) $ ←− S ( X ) h D O (cid:112) , O (cid:112) − → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where O (cid:112) is an oracle for (cid:112) , O (cid:112) − is an oracle for (cid:112) − , and the proba-bilities are over the choice of k and (cid:112) , and the randomness of D . When left unspecified, by ‘pqPRP’ we mean the strong version. A pqPRPis clearly also a pqPRF, but the converse does not necessarily hold. Again,as we are not modifying the oracle access mode, the classical constructions ofPRPs from PRFs go through unchanged in the post-quantum setting. There-fore, the existence of pqPRPs is also equivalent to the existence of pqOWFs.
Theorem 4.18 (pqPRF ⇔ pqPRP) . pqPRFs exist iff pqPRPs exist. Chapter 4. QS1: Post-Quantum Security
Post-quantum encryption schemes are classical encryption schemes meant toretain their security also against quantum adversaries. It is common for thisscenario to just assume the same definitions and security notions we saw inChapter 3, and just replacing
PPT adversaries with
QPT ones. However, inthe case of public-key encryption, one must be a bit careful in doing so.
Post-Quantum Secret-Key Encryption
Following the QS post-quantum secret-key encryption one canjust ‘blindly’ replace classical adversaries with quantum ones, because theadversary itself is never supposed to run encryption or decryption procedureslocally (after all, he does not have the secret key). So we discuss here themodified security definitions as follows (we do it just for the IND and IND-CPA notions, but the same procedures yields equivalent post-quantum securitynotions for SEM, IND-CCA1, and IND-CCA2). As usual, E := E K , X , Y :=( KGen , Enc , Dec ) denotes a SKES with plaintext space X , ciphertext space Y ,and key space K . Definition 4.19 (Post-Quantum IND Adversary) . Let E be a SKES. A post-quantum IND (pq-IND) adversary A for E is a pair of QPT algorithms A :=( M , D ) , where:1. M : → X × X × H is the pq-IND message generator ;2. D : Y × H → { , } is the pq-IND distinguisher ,where H is a Hilbert space of appropriate dimension, modeling the state com-munication register between M and D . Experiment 4.20 ( Game pq − IND E , A ) . Let E be a SKES, and A := ( M , D ) apq-IND adversary. The pq-IND experiment proceeds as follows: Input: n ∈ N k ← KGen ( m , m , | state i ) ← M b $ ←− { , } c ← Enc k ( m b ) b ← D ( c, | state i ) if b = b then Output: else Output: The advantage of A is defined as: Adv pq − IND E , A := Pr h Game pq − IND E , A → i − . .4. Post-Quantum Encryption Definition 4.21 (Post-Quantum Indistinguishability (pq-IND)) . A SKES E has post-quantum indistinguishable encryptions (or, it is pq-IND secure) iff,for any pq-IND adversary A it holds that: Adv pq − IND E , A ≤ negl . Experiment 4.22 ( Game pq − IND − CPA E , A ) . Let E be a SKES, and A := ( M , D ) apq-IND adversary. The pq-IND-CPA experiment proceeds as follows: Input: n ∈ N k ← KGen ( m , m , | state i ) ← M Enc k b $ ←− { , } c ← Enc k ( m b ) b ← D Enc k ( c, | state i ) if b = b then Output: else Output: The advantage of A is defined as: Adv pq − IND − CPA E , A := Pr h Game pq − IND − CPA E , A → i − . Definition 4.23 (Post-Quantum Indistinguishability of Ciphertexts underChosen Plaintext Attack (pq-IND-CPA)) . A SKES E has post-quantum indis-tinguishable encryptions under chosen plaintext attack (or, it is pq-IND-CPAsecure) iff, for any pq-IND adversary A it holds that: Adv pq − IND − CPA E , A ≤ negl . Clearly, pq-IND-CPA is at least as strong as IND-CPA.
Theorem 4.24 (pq-IND-CPA = ⇒ IND-CPA) . If a SKES is pq-IND-CPAsecure, then it is also IND-CPA secure.
It is common folklore that, unlike some PKES, the most widely used con-structions for SKES are actually also post-quantum secure. However, theconverse of Theorem 4.24 does not hold, and it is important to rememberthat post-quantum notions for SKES are actually strictly stronger than theclassical ones in QS Theorem 4.25 (IND-CPA SKES = ⇒ pq-IND-CPA SKES) . Under standardhardness assumptions, there exist SKES which are IND-CPA secure, but notpq-IND-CPA secure.Proof (sketch).
It is sufficient to consider an IND-CPA SKES which appendsto every ciphertext the secret key used, encrypted with another, IND-CPAbut non–post-quantum secure PKES (e.g., some RSA variant) under a fixed,known public key. With the knowledge of the public key, a quantum adversarycan emulate a quantum oracle for the encryption of the PKES, which can thenbe broken by, e.g., Shor’s algorithm, thus revealing the SKES’s secret key.4
Chapter 4. QS1: Post-Quantum Security
Figure 4.1: Relations for SKES security notions in QS QS The Goldreich scheme from Construction 3.26 is pq-IND-CPA when in-stantiated with a pqPRF, because the same arguments used in Theorem 3.27go through as long as the adversary is unable to distinguish the PRF from areal source of randomness.
Theorem 4.26.
Let E F be the SKES from Construction 3.26 implementedthrough a pqPRF F . Then E F in a pq-IND-CPA SKES. The same relations and separations examples between pq-IND, pq-IND-CPA, pq-IND-CCA1, and pq-IND-CCA2, hold as from Section 3.2, and withanalogous separation examples from their classical counterparts as in Theo-rem 4.25. Therefore, the relations between security notions for SKES in QS QS Post-Quantum Public-Key Encryption In post-quantum public-key encryption schemes the situation is quite different.The reason is that, in this case, the presence of a public-key allows the ad-versary to compute encryptions autonomously. In this scenario, following the QS Enc pk should be replaced by the quan-tum counterpart | Enc pk i . However, this is only true for the learning phases during the security game (recall that, for PKES, IND security alone does notconstitute a meaningful notion). The IND phase, on the other hand, modelsthe attack of the adversary against the encryption of some unknown message,encryption that, therefore, is performed by some classical third party (the IND challenger ). Moreover, as M and D are QPT algorithms, giving themthe public key pk as input automatically implies access to | Enc pk i .The resulting post-quantum IND-CPA security game is modified as follows. Experiment 4.27 ( Game pq − IND − CPA E , A for PKES) . Let E be a PKES, and A := ( M , D ) a pq-IND adversary. The pq-IND-CPA experiment (in the post-quantum public-key setting) proceeds as follows: Input: n ∈ N ( pk , sk ) ← KGen ( m , m , | state i ) ← M ( pk ) b $ ←− { , } .5. Post-Quantum Signatures c ← Enc pk ( m b ) b ← D ( c, | state i , pk ) if b = b then Output: else Output: The advantage of A is defined as: Adv pq − IND − CPA E , A := Pr h Game pq − IND − CPA E , A → i − . Notice how only the encryption oracle during the learning phases is re-placed by a quantum oracle, but it is still classical during the IND phase. Thisnotion was introduced in [BZ13b], but we will discuss more the implications ofthis important difference in Section 5.3. Also notice how
Game pq − IND − CPA E , A = Game pq − IND E , A | Encpk i only holds for the public-key setting.The security notions pq-IND-CCA1 and pq-IND-CCA2 in the public-keysetting are a straightforward modification of the ones for the SKES case, bygiving to the adversary quantum oracle access to | Enc pk i – but the oracle Dec sk remains classical. It is well-known that certain PKES which are IND-CPAsecure under standard assumptions are not pq-IND-CPA secure (examples areRSA, ElGamal EC-based schemes, etc.) Instead, pq-IND-CPA (or stronger)PKESs can be constructed under other quantum-hardness assumptions, asdiscussed in Section 2.3. In the case of post-quantum signature schemes , as the oracle access to
Sign sk is kept classical according to the QS PPT adversaries with
QPT ones.
Experiment 4.28 ( Game pq − EUF − CMA (cid:83)(cid:105)(cid:103) , A ) . Let (cid:83)(cid:105)(cid:103) be a DSS, and A a QPT algorithm. The pq-EUF-CMA experiment proceeds as follows: Input: n, q s ∈ N ( pk , sk ) ← KGen ( x, sig ) ← A Sign sk ( pk ) after making at most q s queries to Sign sk , receivingsignatures ( x , sig ) , . . . ( x q s , sig q s ) if SigVerify ( pk , x, sig ) = 1 and (cid:120) = (cid:120) i ∀ i = 1 , . . . , q s then Output: else Output: The advantage of A is defined as: Adv pq − EUF − CMA (cid:83)(cid:105)(cid:103) , A ( n, q s ) := Pr h Game pq − EUF − CMA (cid:83)(cid:105)(cid:103) , A ( n, q s ) → i . Chapter 4. QS1: Post-Quantum Security
Definition 4.29 (Post-Quantum Existential Unforgeability under ChosenMessage Attack (pq-EUF-CMA)) . A DSS (cid:83)(cid:105)(cid:103) is post-quantum existentiallyunforgeable under chosen message attack (or, it is pq-EUF-CMA secure) iff,for any QPT algorithm A it holds that: Adv pq − EUF − CMA (cid:83)(cid:105)(cid:103) , A ≤ negl . However, the situation changes in the case of signatures in the randomoracle model: in this case, it would not make sense to define a notion of post-quantum security without switching to the quantum random oracle model.The resulting security notion should be called, for consistency with our namingconventions, pq-EUF-CMA-QRO. However, it is clear that the presence ofQRO automatically implies
QPT adversaries, which in turn implies a post-quantum security notion at least . Therefore, for simplicity, we will call thisnew security notion just EUF-CMA-QRO.
Experiment 4.30 ( Game
EUF − CMA − QRO (cid:83)(cid:105)(cid:103) , A ) . Let (cid:83)(cid:105)(cid:103) be a DSS, O (cid:104) a random or-acle with corresponding quantum random oracle |O (cid:104) i , and A a QPT algorithm.The
EUF-CMA-QRO experiment proceeds as follows: Input: n, q s , q h ∈ N ( pk , sk ) ← KGen O (cid:104) ( x, sig ) ← A Sign sk , |O (cid:104) i ( pk ) after making at most q h queries to |O (cid:104) i , and q s queries to Sign sk receiving signatures ( x , sig ) , . . . ( x q s , sig q s ) if SigVerify ( pk , x, sig ) = 1 and (cid:120) = (cid:120) i ∀ i = 1 , . . . , q s then Output: else Output: The advantage of A is defined as: Adv
EUF − CMA − QRO (cid:83)(cid:105)(cid:103) , A ( n, q s , q h ) := Pr h Game
EUF − CMA − QRO (cid:83)(cid:105)(cid:103) , A ( n, q s , q h ) → i . Notice how, in the above experiment, only the adversary has access to |O (cid:104) i , while honest parties have only access to O (cid:104) . Definition 4.31 ((Post-Quantum) Existential Unforgeability under ChosenMessage Attack in the Quantum Random Oracle Model (EUF-CMA-QRO)) . A DSS (cid:83)(cid:105)(cid:103) is (post-quantum) existentially unforgeable under chosen messageattack in the quantum random oracle model (or, it is EUF-CMA-QRO secure) iff, for any QPT algorithm A it holds that: Adv
EUF − CMA − QRO (cid:83)(cid:105)(cid:103) , A ≤ negl . .6. Fiat-Shamir in the QROM The Fiat-Shamir transformation is a fascinating example of how things can gowrong when blindly switching to
QPT adversaries in defining post-quantumsecurity notions. The presence of a random oracle and, especially, of rewindingin the security proof makes this a case to be treated carefully.In the last few years, a few works have been presented dealing with the FStransformation in a quantum world. Here, we only discuss the results fromDagdelen et al. [DFG13], which was hystorically the first work in the directionof assessing the security of FS in the quantum world.
Preliminaries
We start by defining quantum-hard languages as the ‘post-quantum analogue’of hard languages.
Definition 4.32 (Quantum-Hard Language) . A hard language L W , R , Inst is a quantum-hard language iff for any
QPT algorithm A it holds: Pr ( x,w ) ← Inst [( x, A ( x )) ∈ R ] ≤ negl . Next, we identify a special class of Σ-protocols, where the prover’s com-mitment com does not depend on the witness w . Definition 4.33 (Σ-Protocol with Witness-Independent Commitments) . A Σ -protocol ( P , V ) for a hard language L W , R , Inst has witness-independent com-mitments iff there exists a
PPT algorithm
Com which, on input a statement x ∈ L , produces the same distribution as the prover’s first message com ( x, w ) for input ( x, w ) ← Inst . In this case, we also write the first message as com ← Com ( x ) . Many Σ-protocols are actually of this type. Examples are the well knowngraph-isomorphism proof [GMW86], the Schnorr proof of knowledge [Sch91],or the protocol for lattices used in an anonymous credential system [CNR12].A typical example of non–witness-independent commitment Σ-protocol is thegraph 3-coloring ZKPoK scheme [GMW86], where the prover commits to arandom permutation of the coloring.Finally, we define a class of Σ-protocols, where the prover’s commitment com can be actually generated obliviously by the verifier instead.
Definition 4.34 (Σ-Protocol with Oblivious Commitments) . A Σ -protocol ( P , V ) for a hard language L W , R , Inst has oblivious commitments iff there exist
PPT algorithms
Com and
SmplRnd such that the following distributions arestatistically indistinguishable: Chapter 4. QS1: Post-Quantum Security Input: n ∈ N , ( x, w ) ∈ R r $ ←− { , } poly ( n ) com ← Com ( x ; r ) ch ← V ( x, com ) resp ← P ( x, w, com , ch ) Output: ( x, w, r, com , ch , resp ) Input: n ∈ N , ( x, w ) ∈ R ( com , ch , resp ) ← ( P ( x, w ) , V ( x )) r ← SmplRnd ( x, com ) Output: ( x, w, r, com , ch , resp )Notice that a Σ-protocol with oblivious commitments has, in particular,witness-independent commitments. With oblivious commitments, the proveris able to compute a response from the given commitment com without know-ing the randomness used to compute the commitment. This is usually achievedby placing some extra trapdoor into the witness w . For example, for theGuillou-Quisquater RSA based proof of knowledge [GQ88] where the provershows knowledge of w ∈ Z ∗ n with w e = y mod n for x = ( e, n, y ), the proverwould need to compute an e -th root for a given commitment r ∈ Z ∗ n . If thewitness would contain the prime factorization of n , instead of the e -th root of y , this would indeed be possible.Σ-protocols with oblivious commitments allow to move the generation ofthe commitment from the prover to the honest verifier. For most schemes thisinfringes on active security, because a malicious verifier could generate thecommitment ‘non-obliviously’. However, the scheme remains honest-verifierzero-knowledge, and this suffices for deriving secure signature schemes throughthe FS transformation. We call such modified scheme a Λ -protocol . Definition 4.35 (Λ-Protocol) . Let ( P , V ) be a Σ -protocol for a hard lan-guage L W , R , Inst with oblivious commitments. The
Λ-protocol ( P Λ , V Λ ) asso-ciated to ( P , V ) is a -move interactive protocol with exchange of messages r, ( com , ch ) , resp between two PPT algorithms P Λ and V Λ such that:1. P Λ ( x, w ) → r , where r $ ←− { , } poly ( n ) V Λ ( x ) → ( com , ch ) , where com ← Com ( x ; r ) , and ch ← V ( x, com ) P Λ ( x, w, com , ch ) → resp , where resp ← P ( x, w, com , ch ; r ) , and r ← SmplRnd ( x, com ) V Λ ( x, com , ch , resp ) := V ( x, com , ch , resp )The generation of the initial randomness r can be performed by V Λ himself,so that a Λ-protocol can generally be seen as a 2-move interactive protocol. The choice of the symbol ‘Λ’, in analogy to the choice of ‘Σ’ in ‘Σ-protocol’, is meantas a mnemonic graphical representation of the protocol flow. For Σ-protocols, in fact, the Σrecalls a stylization of the left-to-right (and viceversa) arrows denoting exchange of messagesbetween one ‘prover side’ to the left and one ‘verifier side’ to the right when representingthe protocol as a workflow, with the direction of time going down. Analogously, Λ-protocolscan be seen as Σ-protocols where part of the interaction (i.e., some ‘arrows’) are removed.This is stylized by rotating the Λ by 90 degrees. .6. Fiat-Shamir in the QROM Impossibility Result for Post-Quantum Fiat-Shamir
In this section, we use a meta-reduction technique to rule out the existence ofstrongly black-box reductions for the Fiat-Shamir transformation of activelysecure Σ-protocols under certain conditions. That is: it is not possible to findreductions with strong security guarantees for the Fiat-Shamir transformationin the QRO, by only relying on the active security of certain Σ -protocols .Before assessing more in detail the strength of this result, we outline here theproof. Recall that, classically, if ( P , V ) is a Σ-protocol, then its FS transformin the ROM, (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ), is an EUF-CMA-RO secure digital signature scheme(Theorem 3.54).1. First we describe a hypothetical, all-powerful adversary A |O (cid:104) i with quan-tum access to the random oracle (and no oracle access to the signing al-gorithm Sign at all), able to break the EUF-CMA-RO security (generateforgeries) for (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ) for any input public key. This adversary doesnot need to exist in practice – it is sufficient for our meta-reduction tosuccessfully emulate it. The adversary A |O (cid:104) i uses his unbounded powerto find a secret key sk to its input pk , and then uses a (single) queryto the random oracle to generate a forgery. Moreover, such adversaryuses the quantum access to the random oracle to ‘hide’ his query in asuperposition (this prevents any strong quantum reduction to apply therewinding techniques of Pointcheval and Stern [PS00] as in the classicalsetting). Finally, this hypothetical adversary uses the secret key and therandom oracle query to output a valid forgery.2. Then we describe the behavior of a strongly black-box reduction B reduc-ing the EUF-CMA-RO security of (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ) to the weak security ofan identification scheme ( P , V ). We show how this is equivalent to find-ing valid witnesses for statements in a quantum-hard language L W , R , Inst by having only classical access to an efficient adversary for (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ).We call these very powerful reductions strong quantum extractors (or, inshort, just ‘extractors’).3. Then we build a reduction M which breaks the active security of ( P , V )by having classical access to an extractor B .4. Finally, we show how M can successfully emulate the all-powerful ad-versary A for B by interacting with the honest prover P and with thesame random oracle O (cid:104) generated by B . That is, M is actually a meta-reduction which breaks the active security of ( P , V ) by using B .We give such impossibility result in respect to the subclass of witness-independent Σ-protocols, while leaving open the other cases. Moreover, weassume that the strong quantum extractor is input-preserving (i.e., it forwards0 Chapter 4. QS1: Post-Quantum Security x faithfully to the adversary). In this case we can easily derandomize theadversary (with respect to classical randomness) by ‘hardwiring’ a key of arandom function into it, which he initially applies to its input x to recoverthe same classical randomness for each run. Since the strong extractor has towork for all adversaries, it in particular needs to succeed for those where wepick the function randomly but fix it from thereon. Theorem 4.36 (Impossibility Result for Fiat-Shamir) . If ( P , V ) is an activelyand weakly secure Σ -protocol with witness-independent commitments, then itdoes not admit any input-preserving strong quantum extractor.Proof. We follow the proof sketch above by giving explicit descriptions of theadversary A , the extractor B , and the meta-reduction M . At the beginningof the game, the honest prover P generates a public/secret key pair ( pk , sk ) ← KGen for the DSS (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ) (which is actually a valid statement/witnesspair ( x, w ) ← Inst for the quantum hard language L W , R , Inst ). The public key pk is also given to the honest verifier V . The Adversary.
Our hypothetical, all-powerful adversary A works asfollows (see Figure 4.2). He receives as input the public key pk = x and firstuses its unbounded computational power to compute a random witness w (according to uniform distributions of coin tosses D subject to Inst ( n ; D ) → ( x, w ), but where D is a random function of x ). Then A prepares all possiblerandom strings r ∈ { , } (cid:114) ( n ) (for some appropriate polynomial function (cid:114) ) forthe prover’s algorithm in superposition, i.e., A prepares the state: (cid:114) − X r =0 √ (cid:114) | r i (this can be done efficiently by using Hadamard gates). In the next step, A evaluates (a unitary version of) the classical witness-independent algo-rithm Com for (deterministically) computing the prover’s commitment com on this superposition (and on x ) in order to obtain a superposition of all | r, com := Com ( x ; r ) i plus an extra | i ancilla register, i.e., the state: | ϕ i := (cid:114) − X r =0 √ (cid:114) | r, com , i . At this point, A evaluates the QRO |O (cid:104) i in superposition on the com com-ponent of the above state (and using the public-key pk and a chosen message m ), thereby obtaining the state: | ψ i := (cid:114) − X r =0 √ (cid:114) | r, com , ch := (cid:104) ( pk , com , m ) i . .6. Fiat-Shamir in the QROM Figure 4.2: the all-powerful adversary.
Then A computes, in superposition, responses resp ← P ( x, w , com , ch , r ) forall values in the superposition, by using w to emulate a valid prover, obtainingthe state: (cid:114) − X r =0 √ (cid:114) | r, com , ch , resp i , Finally, A measures such state, obtaining a valid transcript ( com , ch , resp ),and hence a valid forgery sig for (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ). The Extractor.
An extractor B for ( P , V ) is a strong (black-box) quan-tum reduction which uses an adversary against (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ) in order to breakthe weak security of ( P , V ). Therefore, it has the following characteristics. • B is a QPT algorithm, taking as input a public-key pk for (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V )(i.e., a statement x in L W , R , Inst ). • Because he wants to break the weak security of ( P , V ), the goal of B iseventually to output a valid witness w for x . • B is a black-box reduction, so it works by interacting with any successfuladversary against the EUF-CMA-RO security of (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P , V ), but with-out having any information about the internal workings of the adversary.In particular, it must work for the all-powerful adversary A . • Because A eventually wants to interact with a quantum random oracle, B must also emulate a valid |O (cid:104) i for A . In particular, B must be aquantum reduction. • However, since B is a strong extractor, he is not allowed to tamper with A ’s queries to |O (cid:104) i . That is, B cannot perform measurements or otherquantum operations on those queries, except the evaluation through |O (cid:104) i (but B could, for example, reprogram the oracle, or rewind A ).2 Chapter 4. QS1: Post-Quantum Security
For example, such extractors might work by running A twice, obtainingtwo distinct signature forgeries for the same messages, and then applying thespecial soundness property of ( P , V ) to extract a valid witness w . Theseextractors can be passive or active (i.e., interacting with P ), there is no re-striction on that as long as they output a valid w .On the other hand, we restrict our impossibility result to extractors withthe two following additional properties:1. they are input-preserving , that is, the same statement x (public-key pk )input to B is relayed as input to the black-box adversary; and2. they are RO-broadcasting , that is, they provide a public interface forevaluating O (cid:104) to be used by other external parties, not only exclusivelyby the black-box adversary.It is important to notice that this last condition is perfectly natural: recallthat the ROM idealizes a publicly known hash function, so that it is reasonableto postulate that, once B has set up the emulated |O (cid:104) i , everyone can haveaccess to it. Actually, for this reason, one could also assume that the extractoris QRO-broadcasting (i.e., providing a public quantum interface for evaluating |O (cid:104) i ), but for our result it is sufficient for the meta-reduction to query O (cid:104) classically, and a single query is enough. The Meta-Reduction.
We illustrate the meta-reduction M in Fig-ure 4.3. Assume that there exists an extractor B with black-box access toan underlying quantum adversary A , and which on input a statement (public-key) x sampled according to Inst , is able to extract a witness w to x by runningseveral resetting executions of A , each time answering A ’s QRO queries | ϕ i by emulating a QRO |O (cid:104) i for a classical, possibly probabilistic function (cid:104) forwhich B also provides a public interface to be (at least classically) accessedby M . Then M can use w to break the (weak and strong) security of theunderlying Σ-protocol ( P , V ) by impersonating a valid prover for x against V ,against the assumption, and thereby concluding the proof.It is left to show how M can succesfully simulate a quantum adversaryfor B . In particular, we describe here how M can simulate the all-powerfuladversary A . Clearly, M can produce the same query | ϕ i that A produces,because of the witness-independence of ( P , V ). However, upon receiving backthe reply | ψ i from |O (cid:104) i , this state is discarded and ignored, and a valid forgeryis instead generated in a different way. Namely, M initiates a ( P , V ) executionwith the valid prover P for x , receiving a commitment com . M can nowcompute a valid challenge ch := (cid:104) ( com ) by using the public interface providedby B for evaluating (cid:104) , that is, M is simulating a valid verifier V for P . At thispoint, a valid response resp is computed by P , and M can use the transcript( com , ch , resp ) to output a valid forgery for B . .6. Fiat-Shamir in the QROM Figure 4.3: An overview of our meta-reduction
The above theorem is a special case of [DFG13, Theorem 3.3] with DSS inmind, but the Fiat-Shamir transform can also be cast in the scenario of non-interactive zero-knowledge proofs. It is important to notice that the aboveimpossibility result has the following limitations: • it only holds for witness-independent commitment Σ-protocols. • It only holds for strong black-box quantum extractors . I.e., the extractoris not allowed to tamper with the adversary’s queries to the QRO. • The extractors must be input-preserving, i.e., they use their underlyingblack-box adversary by giving as input the same public-key used to breakthe Σ-protocol. • It only holds for extractors breaking weak security, that is, witness-extracting – they are stronger than extractors who just win the imper-sonation game in the Σ-protocol. • It is necessary that the extractor allows the meta-reduction to evaluate O (cid:104) at least once.Before discussing more in detail some of the above limitations, it is impor-tant to put this result in hystorical perspective: this was the first impossibilityresult for Fiat-Shamir in the quantum world, and following works [ARU14,4 Chapter 4. QS1: Post-Quantum Security
Unr15] rely on more advanced tools. As already discussed, the witness-independence of the commitments is not a strong limitation, as most Σ-protocols have this property. Finally, notice that the existence of strong black-box extractors is not an unreasonable assumption – and therefore the aboveimpossibility result is not unreasonably weak. In fact, Theorem 4.39 in thenext section shows that certain Σ-protocols do indeed admit such extractors.As we have already noticed, the extractor has to choose and providepublic classical access to a classical function (cid:104) for answering random ora-cle queries. While this may be considered a ‘gray-box’ restriction in generalinteractive quantum proofs, it seems to be inevitable in the QROM; it israther a consequence of the approach where a quantum adversary mountsattacks in a classical setting. After all, both the honest parties as well asthe adversary expect a classical hash function. The adversary is able tocheck this property easily, even if it treats the hash function otherwise asa black box (and may thus not be able to spot that the hash function uses(pseudo)randomness). We remark that this approach also complies with pre-vious efforts [BDF +
11, BZ13a, Zha12b, Zha12a] and the positive result in thenext section to answer such hash queries. Moreover, notice that in the aboveproof technically M only needs to evaluate (cid:104) once , i.e., it must not necessarilyrequire unlimited access to O (cid:104) . For these reasons, the meta-reduction stillqualifies as black-box .Furthermore, the extractor can rewind the quantum adversary to any pointbefore the final measurement. Recall that for this impossibility result it is as-sumed, to the advantage of the extractor, that the adversary does not performany measurement until the very end. Since the extractor can re-run the ad-versary from scratch for the same classical randomness, and the ‘no-cloningrestriction’ does not apply to our adversary with classical input, the extrac-tor can therefore easily put the adversary in the same (quantum) state asin a previous execution, up to the final measurement. However, because weconsider strong black-box extractors, the extractor can only influence the ad-versary’s behavior via the answers it provides to A ’s external communication.In this sense, the extractor may always rewind the adversary to such commu-nication points. The extractor is also allowed to measure and abort at suchcommunication points.The extraction strategy by Pointcheval and Stern [PS00] in the purelyclassical case can be cast in the strong black-box extractor framework. Forthis the extractor would run the adversary for the same classical randomnesstwice, providing a lazy-sampling–based hash function description, with differ-ent replies in the i -th answers in the two runs. The extractor then extractsthe witness from two valid signatures. This shows that a different approachthan in the classical setting is necessary for extractors in the QROM.One might ask why the meta-reduction does not apply to the Fiat-Shamirtransform when adversaries have only classical access to the random oracle.The reason is the following: if the adversary made a classical query about a .6. Fiat-Shamir in the QROM B measures (at least partially) the query state without disturbing A ’s behav-ior significantly (i.e., non-strong extractors), but subsequent works [Unr15]have also ruled out this possibility.Finally, we briefly discuss that active security is basically necessary foran impossibility result as above. That is, we outline a three-move protocolfor any quantum-hard language which, when applying the FS transforma-tion, supports a straight-line extractor, and is honest-verifier zero-knowledge,but not actively secure. This holds as long as there are post-quantum denseencryption schemes , and post-quantum non-interactive zero-knowledge proofs .The latter are classical non-interactive zero-knowledge proofs (in the com-mon random string model) for which simulated and genuine proofs are in-distinguishable, even for quantum distinguishers. The former are pq-IND-CPA encryption schemes where honestly generated public keys are quantum-indistinguishable from random strings. The construction is based on the (clas-sical) non-interactive zero-knowledge proofs of knowledge of De Santis andPersiano [SP92] and works as follows. The first message is irrelevant, e.g., welet the prover simply send the constant 0 (potentially padded with redundantrandomness). In the second message the verifier sends a random string whichthe prover interprets as a public key pk of the dense encryption scheme anda common random string crs for the NIZK. The prover encrypts the witnessunder pk and gives a NIZK that the encrypted value forms a valid witness forthe public value x . The verifier only checks the NIZK proof. The protocol isclearly not secure against active (classical) adversaries because such an adver-sary can create a public key pk via the key generation algorithm, thus, knowingthe secret key and allowing the adversary to recover the witness from a proofby the prover. It is, however, honest-verifier zero-knowledge against quantumdistinguishers, because of the pq-IND-CPA security and the simulatability ofthe NIZK hide the witness and allow for a simulation.6 Chapter 4. QS1: Post-Quantum Security
Security Result for Post-Quantum Fiat-Shamir
In this section, we show how it is possible to actually resurrect the security ofthe FS transformation for a certain class of Σ-protocols able to overcome theprevious impossibility result. The intuition is the following: as such impos-sibility result works by exploiting the active security of the Σ-protocol, andsince such property is not needed for the FS transformation to yield securesignature schemes, we can ‘patch’ the Σ-protocol by removing its active secu-rity. That is, by weakening the security guarantees of a Σ-protocol (seen asan identification scheme) we work toward strengthening the properties of itsFS transform (seen as a DSS).We achieve this goal by considering the FS transform of Λ-protocols ob-tained by Σ-protocols with oblivious commitments. In particular, using ran-dom oracles one can hash directly into pairs ( com , ch ) by first computing theoutput of the hash function obtaining a (public-coin) challenge ch and somerandomness r , and then running Com ( x ; r ) to sample a commitment com obliviously. The existence of SmplRnd guarantees that we could ‘bend’ thisvalue back to an actual pre-image r for com . In the sequel we therefore oftenidentify r with Com ( x ; r ) in the sense that we assume that the hash func-tion maps to Com ( x ; r ) directly, and for a (randomized) hash function (cid:104) andmessage m we write ( com , ch ) ← (cid:104) ( x, m, r ). The modified FS transformationthen looks as follows. Definition 4.37 (FS Transform of a Λ-Protocol) . Let ( P Λ , V Λ ) be a Λ -protocolfor a hard language L W , R , Inst , with commitment space X (with associated ran-domness space X − = { r : r ← SmplRnd } := { , } poly ( n ) ), challenge space Y , and response space Z . Let O (cid:104) be a random oracle for a random func-tion (cid:104) : L × M × X − → Y . The FS transform of ( P Λ , V Λ ) in the ROM, (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ) , is a DSS with message space M , signature space T := Y × Z ,and key space K := L × W , defined as follows:1.
KGen → ( pk , sk ) , where ( pk , sk ) := ( x, w ) ← Inst Sign O (cid:104) ( sk , m ) → sig := ( r, resp ) ,where r $ ←− X − , ( com , ch ) ← (cid:104) ( pk , m, r ) ,and resp ← P Λ ( pk , sk , com , ch , r ) SigVerify O (cid:104) ( pk , m, sig ) → b ,where sig := ( r, resp ) , b ← V ( pk , (cid:104) ( pk , m ; r ) , resp )As we have already discussed, this modified FS transformation eludes theimpossibility result from the previous section. In order to show its security, weexploit the special soundness of the Λ-protocol: by reprogramming the QRO |O (cid:104) i for a forgery-generating adversary A , eventually we obtain two related .6. Fiat-Shamir in the QROM com ? , ch ? , resp ? ) and ( com ? , ch , resp ) for ch ? = ch , and thus ex-tracting a valid witness for x and breaking the weak security of ( P Λ , V Λ ). Theidea of the proof is as follows.1. First, we run the HVZK simulator S of the Λ-protocol to obtain a validtranscript ( com ? , ch ? , resp ? ).2. We reprogram the QRO |O (cid:104) i by ‘injecting’ the value ( com ? , ch ) (for ch ? = ch ) on a fraction δ of the possible oracle answers. That is, wereplace O (cid:104) with a semi-constant distribution U δ .3. Then, we run the adversary A against the modified quantum oracle,obtaining a forgery for (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ) for some message m , and hencea valid transcript ( com , ch , resp ) for ( P Λ , V Λ ).4. Finally, if it happens that com = com ? and ch = ch ? , we can use the spe-cial soundness extractor J to obtain a valid witness for x and breakingthe weak security of ( P Λ , V Λ ), concluding the proof.In order for this proof strategy to work, the following two (seemingly con-tradictory) conditions have to be fulfilled: • we need to ensure that A eventually outputs a valid signature yielding atranscript for the commitment com ? of our choice (the one we obtainedfrom the zero-knowledge simulator of the underlying Σ-protocol). Thisrequires that com ? appears with sufficiently large probability in the re-sponses for oracle queries. • On the other hand, we still require that A has a small probability ofdistinguishing a true QRO |O (cid:104) i from the reprogrammed one. Otherwise,the adversary may refuse to give a valid signature at all.The following technical lemma shows that both conditions can be satisfiedsimultaneously by choosing δ carefully. Lemma 4.38.
Let ( P Λ , V Λ ) be a Λ -protocol for a quantum-hard language L W , R , Inst , and let O be the oracle obtained by reprogramming O (cid:104) on a frac-tion δ of its possible inputs ( pk , m, r ) such that O ( pk , m, r ) = ( com ? , ch ) withprobability δ ∈ (0 , for fixed values com ? and ch . Let A be a QPT algorithmsuch that A |O (cid:104) i ( pk ) outputs a valid forgery for (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ) for a publickey pk with probability at least ε after performing q h queries to |O (cid:104) i , andlet ( com , ch , resp ) the transcript obtained by the output of the same algorithm A |O i ( pk ) running against the reprogrammed quantum oracle. Then: Pr h V O Λ ( x, com , ch , resp ) → ∧ ( com , ch ) = ( com ? , ch ) i ≥ δ · ε − · q h δ . Chapter 4. QS1: Post-Quantum Security
Proof.
Consider the probability that we first run A on the original oracle |O (cid:104) i and check if it successfully forges a signature ( r, resp ) for pk and some message m (leading to a transcript ( com , ch , resp )), and then, independently, we alsoverify that ( pk , m, r ) is mapped to ( com ? , ch ) under O . Then:Pr h A |O (cid:104) i ( pk ) succeeds ∧ O ( pk , m, r ) = ( com ? , ch ) i ≥ δ · ε. This follows from the independence of the events: the oracle O reprograms theoutput with probability δ , independently of A ’s behavior, but at the same timewe know that A |O (cid:104) i succeeds with probability at least ε by assumption. Next,we replace |O (cid:104) i with |O i for A , and we consider the new output ( m, r, resp ),arguing that:Pr h A |O i ( pk ) succeeds ∧ O ( pk , m ; r ) = ( com ? , ch ) i ≥ δ · ε − · q h δ . This follows from Lemma 4.3: switching to the new oracle can change thedistance of the output distribution of A by at most · q h δ , and addingthe verification step V O Λ ( x, com , ch , resp ) → V O Λ ( x, com , ch , resp ) → ∧ ( com , ch ) = ( com ? , ch )cannot be smaller than the claimed bound, because ( com , ch ) := O ( pk , m, r )by construction.The previous lemma informally tell us that, in order to succeed, we have tobalance between a large δ to increase the chances of the adversary outputtinga signature containing our desired com ? , and a small δ to avoid that theadversary detects the reprogrammed oracle. We are now ready to prove themain theorem. Theorem 4.39 (Security of a Fiat-Shamir Transform for Λ-Protocols) . Let ( P Λ , V Λ ) be a Λ -protocol for a quantum-hard language. Then (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ) is an EUF-CMA-QRO secure DSS.Proof. We assume towards contradiction the existence of an efficient quan-tum adversary A which, on input a public key pk , outputs a valid forgery( m, sig ) under pk with non-negligible probability ε , hence breaking the existen-tial unforgeability of (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ). This adversary has access to a quantum-accessible random oracle |O (cid:104) i with (cid:104) ( pk , m i , r j ) = ( com i,j , ch i,j ), and to a sign-ing oracle Sign sk for the secret key sk (where ( pk , sk ) := ( x, w ) ∈ R ) producing,on input a message m , a (classical) signature sig = ( r, resp ) ← Sign O (cid:104) ( sk , m ).The adversary A gets pk as an input, and is then allowed to perform upto q h = poly ( n ) quantum queries to |O (cid:104) i , and up to q s = poly ( n ) classicalqueries to Sign sk . Then, after running for poly ( n ) time, A produces (with .6. Fiat-Shamir in the QROM ε ) a forgery ( m, sig ) such that m has never beenasked to the signing oracle Sign sk throughout A ’s execution (i.e., m is a freshmessage). We assume that q h also covers a classical query of the verifier tocheck the signature.Under these assumptions we show how to build a strong black-box quan-tum extractor B , with access to A as a subroutine, and which is able to breakthe hardness of L W , R , Inst with non-negligible probability. That is, B on in-put x ∈ L generated according to Inst , is able to output a valid witness w such that ( x, w ) ∈ R by only interacting classically with A . The quantumextractor B works as follows: • on input statement x , it first runs the simulator S of the underlying Λ-protocol to obtain a valid transcript ( com ? , ch ? , resp ? ). This is possiblebecause of the honest-verifier zero-knowledge property. Note also thatthis does not require access to the random oracle. As already explained,we assume for simplicity that the oblivious commitment is a randomstring; else we would need to run SmplRnd on ( pk , com ? ) to derive apreimage randomness r , and then use r in the hash reply (and arguethat this is indistinguishable). • Then, B simulates a quantum-classical oracle |O i := |O δ (cid:104) i which isobtained by reprogramming a (simulated) quantum random oracle |O (cid:104) i over a fraction δ of its possible inputs ( pk , m, r ) with the value ( com ? , ch ).Here, δ is some non-negligible probability in the security parameter(whose optimal value will be computed later), and ch is an arbitrarilychosen challenge different from ch ? . That is, O ( pk , m, r ) = ( com ? , ch )with probability δ , and random elsewhere. • Next, B invokes A on input pk = x . • Whenever A performs the i -th (classical) query to Sign sk for signing amessage m i , B does the following: – choose a random value r i $ ←− X − ; – execute the honest-verifier zero-knowledge simulator S of the Λ-protocol, obtaining a valid (simulated) transcript( com i , ch i , resp i ); – reprogram O i − with value ( com i , ch i ) for the input ( pk , m i , r i ). Wedenote by O i the reprogrammed oracle after the i -th query to thesigning oracle; – then output sig i := ( r i , com i , ch i , resp i ) as Sign sk ’s reply to A . • Finally, when A outputs a (hopefully valid) fresh forgery ( m, sig ), where sig = ( r, resp ) and O q s ( pk , m ; r ) = ( com , ch ), the extractor B abortsif com = com ? or ch = ch ? . Otherwise, it uses the special soundnessextractor J of the underlying Λ-protocol on input ( com ? , ch ? , resp ? ) and( com , ch , resp ) to obtain a valid witness w for x , concluding the attack.00 Chapter 4. QS1: Post-Quantum Security
Note that we can formally let B implement the dynamic reprogrammingof the quantum-classical oracle, basically hardwiring all changes due to repro-gramming into the code of the underlying classical algorithm. In a secondstep we can emulate the quantum oracle as explained in Section 4.2.We next show that the success probability of our extraction procedure B is non-negligible given a successful A . The proof follows the common game-hopping technique where we gradually deprive the adversary of (a negligibleamount of) its success probability. Game : this is Game
EUF − CMA − QRO (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ) , A describing A ’s original attack against (cid:83)(cid:105)(cid:103) O (cid:104) FS ( P Λ , V Λ ) constructed according to Definition 4.37, played against a pub-lic key pk . By assumption we have:Pr [ A wins Game ] ≥ ε for some non-negligible value ε . Game : this game is identical to Game , except that we abort if A outputsa valid fresh forgery ( m, sig ) where sig does not contain a randomness leadingto the pre-selected commitment com ? and challenge ch . Furthermore, wereplace the random oracle O (cid:104) with the oracle O . Recall that O is obtainedby reprogramming O (cid:104) on a fraction δ of its entries with the value ( com ? , ch ).By Lemma 4.38 we have:Pr [ A wins Game ] ≥ δε − q h δ . Game is actually a sub-sequence of q s different experiments denoted by Game ( i )3 for i = 1 , . . . , q s . Game ( ) : this is as Game , but this time O is reprogrammed to O (i.e., O ( pk , m , r ) := ( com , ch )) as soon as A performs its 1 st classical query m to Sign sk . From then on, the oracle O always answers consistently withthis value. We need to show that this switching does not change the winningprobability significantly. For this we basically need to show that, so far, theamplitudes of this value ( pk , m , r ) in the queries to the quantum oracle aresmall, or else the adversary may be able to spot some inconsistency.Let X − the randomness space from SmplRnd as from Definition 4.37, andlet (cid:12)(cid:12) X − (cid:12)(cid:12) = 2 (cid:114) for some function (cid:114) polynomial in the security parameter. Wedefine the value ( pk , m i , r j ) to have high amplitude if there exists at least oneof the quantum queries | ϕ i , | ϕ i , . . . to the quantum oracle |O i before thecurrent ( st ) signing query , where the amplitude a i,j associated to the corre-sponding basis element of ( pk , m i , r j ) is such that | a i,j | ≥ − (cid:114) . Otherwise,the tuple is said to have low amplitude . Note that each query to the quantum .6. Fiat-Shamir in the QROM (cid:114) tuples with high amplitude, because the (squareof the) amplitudes need to sum up to 1.When O is reprogrammed to O , the choice of m is fixed (i.e., determinedby the 1 st query of A to Sign sk ), but r is still chosen uniformly at random in X − . Since A performs at most q h queries to |O i before the signing query,we have thus at most q h · (cid:114) tuples with high amplitude before this query.The probability of hitting such a tuple is then given by:Pr [( pk , m , r ) has high amplitude] ≤ q h · − (cid:114) . (4.1)Moreover, provided ( pk , m , r ) has low amplitude, and since there are at most q h + q s query steps, using Lemma 2.12 and Lemma 2.11 we obtain: (cid:12)(cid:12)(cid:12) A |O i − A |O i (cid:12)(cid:12)(cid:12) ≤ q ( q h + q h ) · − (cid:114) . (4.2)Let us assume, on behalf of the adversary, that A fails whenever ( pk , m , r )has high amplitude. Still, from equations (4.1) and (4.2), we have:Pr h A wins Game (1)3 i ≥ Pr [ A wins Game ] − q ( q h + q s ) · − (cid:114) − q H · − (cid:114) = δε − q h δ − negl . Here, we use the fact that reprogramming the oracle for ( pk , m , r ) does notchange the adversary’s success probability for a forgery for a fresh message m .That is, since the adversary’s forgery is for m = m , m , . . . it cannot simplycopy a signature query as a forgery, but must still forge on the original oracle O . So the argument about the winning probability applies as it did for O .We now repeat at most q s times the game hopping, from Game (1)3 to Game ( q s )3 , every time repeating the previous game but switching from O i − to O i during the i th query to Sign sk , each time losing at most a negligiblefactor in the winning probability. Note that the probability of hitting a highamplitude with the signature generation in each hop increases to at most q h · − (cid:114) + q s · − (cid:114) when taking into account the at most q s hash queries in theprevious signature requests, but this remains negligible.After q s steps we reach the following game. Game ( q s ) : as Game , but now O is dynamically reprogrammed as asequence O , . . . , O q s throughout all of the A ’s queries to Sign sk . We have:Pr h A wins Game ( q s )3 i ≥ δε − q h δ − negl . Game : as before, but now Sign sk is just simulated through the zero-knowledge simulator S of the underlying Λ-protocol. If, by contradiction, A ’s02 Chapter 4. QS1: Post-Quantum Security winning probability is affected by more than a negligible amount in so do-ing, then we could use A to build an efficient distinguisher between ‘real’ and‘simulated’ transcripts of the Λ-protocol. This would require a distinguisherwith access to a random oracle, in order to simulate the game. Accordingto [Zha12b, Theorem 6.1], however, we can simulate the oracle via q -wiseindependent functions (which exists without requiring cryptographic assump-tions). Furthermore, a hybrid argument can be used to reduce the case of q s proofs to a single proof. Therefore:Pr [ A wins Game ] ≥ δε − q h δ − negl . Game : finally, in this game the special soundness extractor J is run onthe transcript obtained from A ’s output from the previous game. Change thewinning condition of A such that the adversary wins if this extraction yieldsa valid witness w for x . If the winning probability in this game is more thannegligibly far from the winning probability of A in the previous game then thiscan only be due to the fact that the simulated proof with ( com ? , ch ? , resp ? )cannot be accepted by the verifier; else the extractor would be guaranteedto work for this proof and the (accepted) signature. But this would allow aneasy distinguisher against the zero-knowledge property, similar to the previousgames. Hence: Pr [ A wins Game ] ≥ δε − q h δ − negl . Note that A ’s winning condition in the final game corresponds exactly to theprobability of B successfully deriving a witness w for its input x . This winningprobability can be maximized (by zeroing the first derivative in δ ) by choosing: δ := 3 ε q h . This yields: Pr [ A wins Game ] ≥ ε q H − negl , which is non-negligible. This concludes the proof of the theorem.The results from this section regarding the security and impossibility re-sults for the Fiat-Shamir transform of witness-independent commitments inthe QROM is summarized in Figure 4.4: a security proof can be found forΣ-protocols with oblivious commitments (that is, Λ-protocols), while strongextractors can be ruled out whenever the FS transformation is applied toΣ-protocols which are actively secure (seen as identification schemes). How-ever, some of these schemes can be ‘patched’ by using commitment trap-doors in order to make them oblivious commitment and remove their active .7. Post-Quantum ORAMs Figure 4.4: Security results for the Fiat-Shamir transformation in the QROM. security, yielding signature schemes in a way similar to the hash-and-signparadigm [GPV08]. This is for example the situation in the lattice-basedsignature scheme by Lyubashevsky [Lyu12], which can be patched in such away to be rendered EUF-CMA-QRO secure according to Theorem 4.39, asexplained in [DFG13].
In this section we look at the post-quantum security of ORAMs. First ofall, we define a suitable security model. Then we show that the extensionof a classically secure ORAM to its post-quantum secure counterpart is notnecessarily trivial. To this end, we examine
PathORAM and we show thatmerely substituting the underlying encryption scheme with a post-quantumone does not generally yield a post-quantum ORAM. The idea is to exploit theweakness of other components of the ORAM construction under examination(in this case, the PRNG used). This is not surprising, because it has tobe somewhat expected that post-quantum security can only be achieved byhardening all the underlying components of a cryptographic scheme, not onlythe encryption. However, it is important to keep this possibility in mind.Then, we show that building post-quantum secure ORAMs is possible.We do it by showing that
PathORAM , instantiated with a post-quantum secureSKES and a post-quantum PRNG, achieves post-quantum security. This isimportant from an application perspective, because it shows that efficient andpost-quantum secure ORAMs can indeed be obtained in a straightforwardway. Moreover, the proof of this fact is a straightforward adaptation fromTheorem 3.64, and the resulting security reduction is semi-classical, thereforeoffering very strong security guarantees, as discussed in Section 4.1.04
Chapter 4. QS1: Post-Quantum Security
Post-Quantum Security of ORAMs
Since the security model for ORAM only involves a classical communicationchannel and there is no oracle access involved, we can simply switch to a post-quantum model of security for ORAMs in the usual way: we keep the AP-IND-CQA game as from Experiment 3.61, but we switch to
QPT adversaries.
Definition 4.40 (Quantum ORAM Adversary) . A quantum ORAM adver-sary A is a QPT algorithm which is computationally indistinguishable froman honest server S for every ORAM client C . In particular, the ORAM’ssoundness is preserved. Definition 4.41 (Post-Quantum Access Pattern Indistinguishability UnderAdaptive Chosen Query Attack) . An ORAM construction
ORAM has post-quantum computationally indistinguishable access patterns under adaptivechosen query attack (or, it is pq-AP-IND-CQA-secure) iff for any quantumORAM adversary A it holds that Adv AP − IND − CQAORAM , A ≤ negl . Clearly, if an ORAM is pq-AP-IND-CQA-secure, then it is also AP-IND-CQA-secure. The converse does not hold (under standard hardness assump-tions) as we will see.
The Impossibility Result
In order to show that one cannot in general obtain post-quantum ORAMs byjust using a post-quantum SKES in a black-box way, we provide the followingcounterexample.
Theorem 4.42.
Let E = ( KGen , Enc , Dec ) be a pq-IND-CPA SKES accordingto Definition 4.23, and let G BM be the Blum-Micali PRNG from Lemma 4.12.Let PathORAM BM be the ORAM obtained by instantiating the PathORAM con-struction from Definition 3.63 using E and G BM . Then, under the DLP hard-ness assumption, PathORAM BM is an AP-IND-CQA secure ORAM, but notpq-AP-IND-CQA secure. At the light of Theorem 3.64 and Definition 4.41, in order to prove Theo-rem 4.42 we only need to show the following lemma.
Lemma 4.43.
There exists a
QPT algorithm A winning Game
AP-IND-CQA A , PathORAM BM with non-negligible advantage over guessing.Proof. We start by making a key observation concerning the access patternsproduced in
PathORAM . Let dr = ( op , i, data ) be a data request sent by C . Byonly examining the communication transcript com resulting from the execu-tion of this data request, one can see which path (branch of the tree) S sent to C , thus learning the leaf r i to which i was mapped to, even without knowing i itself. In normal circumstances, this is of no use to an adversary, because this .7. Post-Quantum ORAMs r i becomes immediately obsolete, being replaced by a new fresh valueoutput by the PRNG in the position map. But it will be important in ourattack as we will see.Let D be the BQP algorithm (the ‘PRNG predictor’) of Lemma 4.12.We build the adversary A with oracle access to D . First of all A chooses n, n db ≤ n Max and starts the AP-IND-CQA game by calling
Init ( n, n db ). Forhis attack, A fixes an arbitrary identifier i ∈ { , . . . , n db } , and an arbitrarydata unit data ∈ { , } n dat .During the first CQA learning phase, A asks C to execute (cid:107) = poly ( n )consecutive data requests of the form (‘write’ , i, data ). A records the resultingaccess patterns from all these queries, ap , . . . , ap (cid:107) , which include the commu-nication transcripts com , . . . , com (cid:107) and then, by the observation made before,a ‘history’ ( r (0) i , . . . , r ( (cid:107) − i ) of the past mappings of block i at the beginningof the execution of every data request from 1 to (cid:107) . These mappings, in turn,are (cid:107) outputs of G BM , and they are given as input to the algorithm D , whichthen outputs a candidate prediction r ∗ for the current secret leaf value r ( (cid:107) ) i .Then A executes his challenge query by using data requests ( dr , dr ) with dr = (‘write’ , i, data ), and dr = (‘write’ , j, data ) for j = i , and recordsthe resulting access pattern ap (cid:107) +1 = ap ( dr b ) (where b is the secret bit to beguessed). At this point, the adversary looks at this last communication tran-script com (cid:107) +1 and, by the observation made at the beginning of the proof,checks the leaf index r related to the tree branch exchanged during the exe-cution of the challenge query. If r = r ∗ , then A sets b = 0 (where b is A ’scurrent ‘guess’ at b ), otherwise A sets b = 1.However, before outputting his guess b in order to win the AP-IND-CQAgame, A has to perform an additional check (during the second CQA challengephase) in order to verify whether D had correctly guessed the right value r ( (cid:107) ) i or not. The problem here is that, if D is unsuccessful (which happens withprobability as high as 1 − δ ), we cannot say anything about the predictedvalue r ∗ . In fact, in that case D could potentially act maliciously against A ,and output a value r ∗ which maximizes the probability of b being wrong inthe above strategy: for example, r ∗ = r (0) j . For this reason A performs thefollowing ‘sanity check’ after the challenge query: • if b = 1, then A demands the execution of an additional query of theform (‘write’ , i, data ), and verifies that the resulting path leads to leaf r ∗ .This guarantees that r ∗ was actually correct, and it was not observedduring the challenge query just because dr was chosen, as guessed. • Otherwise, if b = 0, then A demands the execution of an additionalquery of the form (‘write’ , j, data ), and verifies that the resulting treebranch does not lead to leaf r ∗ . This guarantees with high probabilitythat D did not maliciously output the secret leaf state for element j instead of i .06 Chapter 4. QS1: Post-Quantum Security
It is easy to see that in the case of misbehavior of D , both of the above testsfail with high probability. In fact, in the case b = 1, the current mappingof element i leads to leaf r ( (cid:107) ) i , which was not correctly predicted by D byassumption. In the latter case instead, recall that A had guessed b = 0because during the execution of the challenge query he observed the leaf r ∗ ;this could only lead to a fail in the case that r (0) j = r ( (cid:107) ) i , which only happenswith negligible probability at most ε , or if r (0) j = r ∗ , which is detected by thesanity check.Finally, if the above sanity check is passed, A outputs b , otherwise heoutputs a random bit.Notice that (provided D was successful) this strategy is always correct, except in the case that: dr was chosen (probability ) and the initial mappingof block j (which is r (0) j ), coincides with r ( (cid:107) ) i . As already mentioned, the latterevent can only happen at most with probability ε negligible in the bit size of G BM ’s output, and hence in the security parameter n (it is easy to see thatthis is a minimum requirement for any classically secure PRNG, as G BM is).Thus: Pr h Game
AP-IND-CQA A , PathORAM BM → (cid:12)(cid:12)(cid:12) D succeeds i ≥ − ε . (4.3)On the other hand, if D fails (which happens with probability (1 − δ ) atmost) and predicts a wrong value r ∗ = r ( (cid:107) ) i , the above strategy still succeedswith probability at least − ε (again, because of the remote possibility that r (0) j = r ( (cid:107) ) i ). Hence:Pr h Game
AP-IND-CQA A , PathORAM BM → (cid:12)(cid:12)(cid:12) D fails i ≤
12 (1 + ε ) . (4.4)Thus, combining 4.3 and 4.4, the adversary’s overall success probability is:Pr h Game
AP-IND-CQA A , PathORAM BM → i = Pr [ A wins] · Pr [ D succeeds] + (1 − Pr [ A loses] · Pr [ D fails]) ≥ δ (cid:18) − ε (cid:19) + (cid:18) − (1 − δ ) 12 (1 + ε ) (cid:19) ≥
12 + 12 δ − ε, which concludes the proof, because ε is negligible, while δ is not. Construction of a Post-Quantum ORAM
A careful examination of
PathORAM ’s construction details reveals that an im-portant role in the security is played by the pseudorandom number generatorused to map a block to a leaf during every access. As we have just shown, aPRNG which is not post-quantum secure is enough to break
PathORAM ’s secu-rity in a quantum setting. It is natural then to wonder whether the attack on
PathORAM can be avoided by using a post-quantum PRNG, in addition to a .7. Post-Quantum ORAMs
PathORAM . Here,we give a positive answer to such question.
Theorem 4.44.
Let E be a pq-IND-CPA SKE according to Definition 4.23,and let G be a pq-PRNG as from Definition 4.9. Then, PathORAM instantiatedusing E and G is a pq-AP-IND-CPA secure ORAM.Proof. The proof follows step-by-step the proof of Theorem 3.64. In fact thistime, since G is a pq-PRNG by assumption, the new output values used toupdate the position map in PathORAM are indistinguishable from random (andtherefore, in particular, unpredictable) even for
QPT adversaries. As G has aninternal state which is completely unrelated to E ’s internal randomness, andbecause there is no quantum oracle access involved, the security argumentsat every step in the proof of Theorem 3.64 remain unchanged. Therefore,any QPT adversary who can distinguish the execution of two data requestsequences with probability non-negligibly better than guessing, can be turnedinto a successful adversary against the pq-IND-CPA security of E , or againstthe pqPRNG, against the security assumptions. hapter QS2: Quantum(Superposition-Based) Security
In this chapter we conclude our study of quantum security notions for classicalcryptographic objects by presenting the quantum security class QS
2. In thisdomain, the schemes are classical and the adversaries are quantum, as in QS QS
1, the adversaries are always given quantum access toclassical oracles, not only when the ‘realistic’ model requires it. So, for ex-ample, encryption schemes in QS QS states: “Whenever an adversary has access toa classical oracle, then such oracle should be accessible by the adversary in aquantum way.” As we will see, the resulting security notions can be strictly stronger than‘post-quantum’ notions as defined in the previous chapter. Constructionswhich are secure in QS QS
1, but theconverse does not always hold. QS beyond post-quantum security. When a cryptographic construction is secure in the QS quantum-secure .In the following sections first we discuss the motivations for considering thisscenario, and then we introduce security models and definitions for quantum-secure cryptographic building blocks and secret-key encryption schemes. My Scientific Contribution in this Chapter
Quantum-secure PRPs (Definitions 5.3 and 5.4), and all the results in Sec-tion 5.3 first appeared in [GHS16], which is a joint work with Andreas Hülsingand Christian Schaffner. Theorem 5.9 is considered folklore but, to the bestof my knowledge, the first formal proof appears in this thesis.10910
Chapter 5. QS2: Quantum (Superposition-Based) Security
The obvious question one might ask is: “why considering quantum access toclassical primitives, in the case where the adversary does not implement theprimitive’s code himself? Doesn’t this clash with the QS Actually,it does not: the QS but it does not say anything about the converse . In fact, classical access to anoracle can be seen just as a special case of quantum access, where the adversaryis limited to queries in the form of basis states. So, the first ‘trivial’ reasonwhy one should consider quantum access is the following. Reason
Nothing is lost, in terms ofsecurity, by considering adversaries able to execute superposition queries. Theresulting security notions will be at least as strong as the corresponding post-quantum security notions, and sometimes strictly so, as we will see. Of coursethis does not make post-quantum notions obsolete: for example it might beimpossible (or much harder, or worse in performance) to achieve certain QS QS QS even if we are using the quantum randomoracle ‘only’ in a post-quantum security proof.Another example is the case of post-quantum obfuscation, in particular in-distinguishability obfuscation (iO) . This is a relatively recent branch of crypto-graphic techniques which, roughly speaking, achieves certain functionalities by‘obfuscating’ the code of some algorithm in a secure way. One typical example(which has also received interest [CEJvO02] from an application perspective)is how to build PKES from SKES. The idea is to hardcode the secret key ofthe SKES in the code of the encryption routine, and then obfuscate the codeand distribute it as a public key. In the standard model, it is known [IR88]that it is impossible to achieve key-exchange and public-key encryption in ablack-box way just from one-way functions. However, Corollary 4.15 and The-orem 4.26 tell us that, using iO, it might be possible to build post-quantum .1. Why Superposition Access? not be enough because, as discussed in Section 4.4, post-quantumPKES can be queried in superposition. Therefore, for this application we alsoneed a superposition-based security notion for SKES.Summing up, we can say the following. Reason
If a secu-rity reduction for an object in QS QS
1, one ofthe reasons (in addition to the ones described in Section 4.1) might be thatthe security of some of the underlying building blocks should be ‘lifted’ to QS
2, not just QS Chapter 5. QS2: Quantum (Superposition-Based) Security ‘tricking classical parties into quantum behaviour’.Another example of a sort of ‘quantum fault attack’ occurs in a situationwhere one party using a quantum computer encrypts messages for anotherparty that uses a classical computer, and the adversary is able to observe theoutcome of the quantum computation before measurement.
Reason
Also noticethat the threat deriving from these kind of attacks is potentially high con-sidering that, unlike for the post-quantum scenario, they do not necessarilyrequire the adversary to build a fully-fledged quantum computer.Finally, it is important to consider superposition-based quantum securityin all those cases where a classical cryptographic object is used as a buildingblock for more complex quantum protocols (meant to run natively on quantumcomputing devices). Post-quantum guarantees alone are usually not enoughto ensure secure composition in these scenarios.
Reason
For instance, we will see an example in the next chap-ter where schemes for securely encrypting quantum data can be built by adapt-ing classical encryption schemes, but only if such schemes are (superposition-based) quantum-secure.
We look first at the basic (superposition-based) quantum-secure building blocks.As already discussed in Section 4.3, there is nothing to say about quantum-secure OWF, OWTP, and PRNG. In the first two cases, the superpositionaccess is already implied by the post-quantum definition, so that the post-quantum and the superposition-based quantum security notions coincide. Wewill use the two terms interchangeabily, as the meaning is the same. In thelatter case instead, a superposition-based security notion for PRNG makes nosense, because PRNG security, by definition, is based on a stream of classicaldata, and there is no oracle access involved. As we mentioned already, thesituation is instead quite different in the case of PRF and PRP.
Quantum-Secure PRF
In the case of pseudorandom functions, an adversary might be able to dis-tinguish the PRF F from a random function by gaining quantum access tothe oracle for F , which we denote by |F i . Since a PRF is a keyed family offunctions, we write sometimes |F k i to denote the quantum-classical oracle for F keyed by k . .2. Quantum-Secure Building Blocks Definition 5.1 (Quantum-Secure Pseudorandom Function (qPRF)) . A (fam-ily of) quantum-secure pseudorandom functions (qPRF) from X to Y with keyspace K is a DPT algorithm F : ( k ∈ K , x ∈ X ) y ∈ Y such that for any QPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D |F k i → i − Pr (cid:104) $ ←− Y X h D |O (cid:104) i → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where |O (cid:104) i is a quantum-classical oracle for (cid:104) (i.e., a quantum random oracle),and the probabilities are over the choice of k and (cid:104) , and the randomness of D . Obviously, a qPRF is also a pqPRF and, in particular, a PRF. As discussedin Section 3.1, and unlike in the case of pqPRFs in Section 4.3, the securityproof of Theorem 3.7 does not go through, because of the impossibility ofdealing with the quantum oracle access in the standard way required for suchproof. However, [Zha12a] shows that qPRFs can indeed be built from post-quantum OWF using standard constructions, so the analogue of Corollary 4.15still holds. The following is a corollary of [Zha12a, Theorem 4.5].
Theorem 5.2. pqOWF exist iff qPRF exist.
Quantum-Secure PRP
Quantum-secure PRPs are defined in a similar way as qPRFs, denoting by |P k i the quantum-classical oracle evaluating P with secret key k . Definition 5.3 (Quantum-Secure Weak PRP (qWPRP)) . A (family of) quantum-secure weak pseudorandom permutations (qWPRP) on X with keyspace K is a pair of DPT algorithms ( P , P − ) : ( k ∈ K , x ∈ X ) x ∈ X such that:1. ∀ k ∈ K = ⇒ P k , P − k are permutations on X ;2. ∀ k ∈ K = ⇒ ( P k ) − = P − k ; and3. for any QPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D |P k i → i − Pr (cid:112) $ ←− S ( X ) h D |O (cid:112) i → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where |O (cid:112) i is a quantum-classical oracle for (cid:112) , and the probabilities areover the choice of k and (cid:112) , and the randomness of D . Definition 5.4 (Quantum-Secure Strong PRP (qSPRP)) . A (family of) quan-tum-secure strong pseudorandom permutations (qSPRP) on X with key space K is a pair of DPT algorithms ( P , P − ) : ( k ∈ K , x ∈ X ) x ∈ X such that:1. ∀ k ∈ K = ⇒ P k , P − k are permutations on X ; Chapter 5. QS2: Quantum (Superposition-Based) Security ∀ k ∈ K = ⇒ ( P k ) − = P − k ; and3. for any QPT algorithm D it holds: (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr k $ ←− K h D |P k i , |P − k i → i − Pr (cid:112) $ ←− S ( X ) h D |O (cid:112) i , |O (cid:112) − i → i(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where |O (cid:112) i is a quantum-classical oracle for (cid:112) , |O (cid:112) − i is a quantumoracle for (cid:112) − , and the probabilities are over the choice of k and (cid:112) , andthe randomness of D . It is important to notice that building provably secure qPRPs is not trivial.Kuwakado and Morii showed [KM10, KM12] that the two most commonly usedconstructions for building PRPs are actually quantum-insecure , in the sensethat there exist specific quantum attacks (using a modified version of Simon’salgorithm) able to distinguish such constructions from random. Their attacksare limited to the (3-round) Feistel construction (for building WPRPs fromPRFs) and the (1-round) Even-Mansour construction (for building SPRPsfrom public random permutations). However, Zhandry [Zha16] shows thatqSPRPs can indeed be built from qPRFs (and hence by post-quantum OWF)using constructions based on format-preserving encryption , so the analogue ofthe result from Theorem 4.18 still holds.
Theorem 5.5 (qPRF ⇔ qPRP) . qPRFs exist iff qPRPs exist. In Section 4.4, we have seen how security notions for public-key encryptionin the post-quantum setting should allow for an adversary to query the en-cryption oracle in superposition. Following the QS .3. Quantum-Secure Secret-Key Encryption Classical IND, Quantum CPA
The first indistinguishability notion with quantum CPA query phase, calledIND-qCPA, was proposed in [BZ13b]. Formally, the base adversarial model isthe same pq-IND adversary from Definition 4.19.
Experiment 5.6 ( Game
IND − qCPA E , A ) . Let E be a SKES, and A := ( M , D ) apq-IND adversary. The IND-qCPA experiment proceeds as follows: Input: n ∈ N k ← KGen ( m , m , | state i ) ← M | Enc k i b $ ←− { , } c ← Enc k ( m b ) b ← D | Enc k i ( c, state ) if b = b then Output: else Output: The advantage of A is defined as: Adv
IND − qCPA E , A := Pr h Game
IND − qCPA E , A → i − . Notice how, as in the QS Game
IND − qCPA E , A = Game
IND E , A | Enc k i . Definition 5.7 (Indistinguishability of Ciphertexts under Quantum ChosenPlaintext Attack (IND-qCPA)) . A SKES E has indistinguishable encryptionsunder quantum chosen plaintext attack (or, it is IND-qCPA secure) iff, forany pq-IND adversary A it holds that: Adv
IND − qCPA E , A ≤ negl . Clearly, IND-qCPA is at least as strong as pq-IND-CPA (and it is actuallyequivalent for PKES). But the converse is not true.
Theorem 5.8 (IND-qCPA = ⇒ pq-IND-CPA) . If a SKES is IND-qCPAsecure, then it is also pq-IND-CPA secure.
Theorem 5.9 (pq-IND-CPA SKES = ⇒ IND-qCPA SKES) . Under standardhardness assumptions, there exist SKES which are pq-IND-CPA secure, butnot IND-qCPA secure.Proof (sketch).
Consider the same counterexample described in the proof ofTheorem 4.25, but where this time the public key used for the (IND-CPAbut non–post-quantum secure) PKES is generated by
KGen and kept secret.This way, in the post-quantum setting the adversary would lose access to thequantum encryption oracle for the PKES, and hence the pq-IND-CPA secu-rity notion coincides with the IND-CPA notion, which the resulting scheme16
Chapter 5. QS2: Quantum (Superposition-Based) Security achieves by construction. However, an adversary for the IND-qCPA securitynotion would still have access to such encryption oracle, thereby being able tobreak the security of the PKES, and thus recovering the SKES key.A simple modification from [BZ13b, Theorem 4.10] shows that Construc-tion 3.26 is IND-qCPA when instantiated with a quantum-secure PRF . Theorem 5.10.
Let E F be the SKES from Construction 3.26 implementedthrough a qPRF F . Then E F in an IND-qCPA SKES. Type- (2)
Oracles
Before discussing other quantum security notions, we must provide a techni-cal tool arising from the following consideration. In quantum computing, the‘canonical’ way of evaluating an oracle for a classical function (cid:102) in superpo-sition is, as discussed in Section 4.1, by using an auxiliary register and thenthe canonical quantum-classical oracle: |O (cid:102) i : X x,y a x,y | x, y i 7→ X x,y a x,y | x, y ⊕ (cid:102) ( x ) i . This way ensures that the resulting operator is invertible, even if (cid:102) itself isnot. We call these type- (1) transformations , and we denote them by |O (cid:102) i (1) when necessary to specify (by default, we assume |O (cid:102) i = |O (cid:102) i (1) ). For SKES,if Enc k is an encryption mapping m -bit plaintexts to c -bit ciphertexts, theresulting operator in this case will act on m + c qubits in the following way: | Enc k i (1) : X x,y a x,y | x, y i 7→ X x,y a x,y | x, y ⊕ Enc k ( x ) i , where the y ’s are ancillary values.In our case, though, we do not consider arbitrary functions, but encryp-tions, which act as bijections on some bit-string spaces (assuming that therandomness, if in presence of a randomized SKES, is treated as an input,although never chosen by the adversary.) Therefore, provided that the en-cryption does not change the size of a message, the following transformationis also invertible: X x a x | x i 7→ X x a x | Enc k ( x ) i . (5.1)For the more general case of arbitrary message expansion factors, we willconsider transformations of the form: X x,y a x,y | x, y i 7→ X x,y a x,y | ϕ x,y i , where the length of the ancilla register is | y | = | Enc k ( x ) |−| x | and ϕ x, = Enc k ( x )for every x – i.e., initializing the ancilla register in the | i state produces a .3. Quantum-Secure Secret-Key Encryption challenger ), we will not consider cases where y = 0. We call the resulting oper-ator type- (2) transformations , and we denote them by |O (cid:102) i (2) when necessaryto specify), that is: | Enc k i (2) : X x a x | x, i 7→ X x a x | Enc k ( x ) i , where the ancillary | i is of the necessary qubit-size.Notice that, in general, type-(1) and type-(2) transformations are verydifferent: having quantum gate access to a type-(2) unitary encryption oracle(that is, quantum oracle access to | Enc k i (2) and its adjoint | Enc k i † (2) ) also givesaccess to the related type-(2) decryption oracle | Dec k i (2) : P x a x | Enc k ( x ) i 7→ P x a x | x i . In fact, notice that | Enc k i † (2) = | Dec k i (2) , while the adjoint of atype-(1) encryption operator, | Enc k i † (1) , is generally not a type-(1) decryptionoperator. In particular, type-(2) operators are ‘more powerful’ in the sensethat knowledge of the secret key is required in order to build any efficientquantum circuit implementing them. However, we stress the fact that when-ever access to a decryption oracle is allowed, the two models are completelyequivalent, because then we can simulate a type-(2) operator by using ancillaqubits and ‘uncomputing’ the resulting garbage lines (see Figure 5.1). Thisis in fact the case in our security model for SKES, as it is not the adversaryhimself who computes the encryptions, but they are instead provided by achallenger who, in particular, already knows the secret key. Figure 5.1: Equivalence between type-(1) and type-(2) in the case of 1-qubit messages.Left: building a type-(1) encryption oracle by using a type-(2) encryption oracle (andits inverse) as a black-box. Right: building a type-(2) encryption oracle by usingtype-(1) encryption and decryption oracles as black-boxes.
Quantum Indistinguishability
When trying to apply the QS These are called minimal quantum oracles in [KKVB02]. Chapter 5. QS2: Quantum (Superposition-Based) Security into quantum registers does not work, because the resulting notion wouldbe trivially unachievable. The work [GHS16] presents an in-depth discussionabout other possible strategies spanning a ‘security tree’ of definitions. Mostof these strategies lead to quantum indistinguishability notions that are ei-ther unachievable, or equivalent to IND-qCPA. However, some of them leadto more meaningful notions for the QS quantum indistinguishability (qIND) and general quantum indistin-guishability (gqIND) . However, for the purpose of this work, we rename themas weak quantum indistinguishability (wqIND) and quantum indistinguishabil-ity (qIND) respectively, because the latter is of more direct interest to ourframework. That is, what we call ‘qIND’ in this work was originally called‘gqIND’ in [GHS16], and what we call ‘wqIND’ was originally called ‘qIND’in [GHS16]. We will use such denomination from now on, and we will discussqIND in this section, while presenting wqIND at a later point.We give the qIND model for the most general case of adversaries able toquery oracles on mixed states. This can happen if, for example, the adversaryqueries the oracle on a state which is entangled with another state kept by theadversary. Basically, what happens in the qIND experiment is the following:1. first, the adversary outputs two quantum states ϕ , ϕ representing thechallenge plaintexts of his choice. These states can be thought as su-perpositions of classical plaintexts, but in general can also be mixedstates, possibly entangled together or with some other state kept by theadversary.2. Then, these two states are sent over a quantum channel to some abstractchallenger algorithm. This challenger selects at random one of the twostates and traces out the other one. The selected state is encryptedaccording to | Enc k i (2) with a secret key k generated by the challenger,and sent back to the adversary.3. Finally the adversary, upon receiving such encrypted state, has to guesswhich of the two states was selected.More formally, we define the following. Definition 5.11 (Quantum IND Adversary) . Let E be a SKES with plaintextspace X and ciphertext space Y . A quantum IND (qIND, or QIND) adversary A for E is a pair of QPT algorithms A := ( M , D ) , where:1. M : → D ( H X ) × D ( H X ) × D ( H Env ) is the qIND (or QIND) messagegenerator ;2. D : D ( H Y ) × D ( H Env ) → { , } is the qIND (or QIND) distinguisher ,where H com is a Hilbert space of appropriate dimension, modeling the statecommunication register (or, environment ) between M and D . .3. Quantum-Secure Secret-Key Encryption Experiment 5.12 ( Game qIND E , A ) . Let E be a SKES, and A := ( M , D ) a qINDadversary. The qIND experiment proceeds as follows: Input: n ∈ N k ← KGen ( ϕ , ϕ , σ ) ← M b $ ←− { , } ψ ← | Enc k i (2) ( ϕ b ) trace out ϕ − b b ← D ( ψ, σ ) if b = b then Output: else Output: The advantage of A is defined as: Adv qIND E , A := Pr h Game qIND E , A → i − . Definition 5.13 (Quantum Indistinguishability of Ciphertexts (qIND)) . ASKES E has quantum indistinguishable encryptions (or, it is qIND secure) iff,for any qIND adversary A it holds that: Adv qIND E , A ≤ negl . We can strengthen this security notion by adding quantum CPA capabili-ties to the adversary.
Experiment 5.14 ( Game qIND − qCPA E , A ) . Let E be a SKES, and A := ( M , D ) aqIND adversary. The qIND-qCPA experiment proceeds as follows: Input: n ∈ N k ← KGen ( ϕ , ϕ , σ ) ← M | Enc k i (2) b $ ←− { , } ψ ← | Enc k i (2) ( ϕ b ) trace out ϕ − b b ← D | Enc k i (2) ( ψ, σ ) if b = b then Output: else Output: The advantage of A is defined as: Adv qIND − qCPA E , A := Pr h Game qIND − qCPA E , A → i − . Definition 5.15 (Quantum Indistinguishability of Ciphertexts Under Quan-tum Chosen Plaintext Attack (qIND-qCPA)) . A SKES E has quantum in-distinguishable encryptions under quantum chosen plaintext attack (or, it isqIND-qCPA secure) iff, for any qIND adversary A ⇒
Adv qIND − qCPA E , A ≤ negl . Chapter 5. QS2: Quantum (Superposition-Based) Security
Clearly, qIND-qCPA is at least as strong as IND-qCPA, because a classicalIND query is a special case of a quantum IND query.
Theorem 5.16 (qIND-qCPA = ⇒ IND-qCPA) . If a SKES is qIND-qCPAsecure, then it is also IND-qCPA secure.
However, as we will show later, the converse is not necessarily true.
Corollary 5.17 (of Theorem 5.39 and Corollary 5.28) . There exist SKESwhich are IND-qCPA secure, but not qIND-qCPA secure.
In particular, Construction 3.26 (which is IND-qCPA secure according toTheorem 5.10) is not qIND-qCPA secure, because it is covered in the im-possibility result from Section 5.3. However, [GHS16] shows how to buildqIND-qCPA secure SKES from qPRPs.
Construction 5.18 ([GHS16, Construction 6.4]) . Let ( P , P − ) be a qPRPover X × R with key space K , where X and R are both of size superpolynomialin n . Define E = E K , X , X ×R := (
KGen , Enc , Dec ) as a SKES with key space K ,plaintext space X , and ciphertext space X × R , in the following way:1.
KGen → k , with k $ ←− K ;2. Enc k ( x ) → P k ( x k r ) , where r $ ←− R ;3. Dec k ( y ) := P − ( y ) (cid:12)(cid:12)(cid:12) X . Instead of proving the qIND-qCPA security of this construction directly,we prove it instead for another construction which generalizes it. Construc-tion 5.18 has the drawback that the message length is upper bounded by theinput length of the qPRP (minus the bit length of the randomness). How-ever, like in the case of block ciphers, we can overcome this issue with a modeof operation . More specifically, we can handle arbitrary message lengths bysplitting the message into blocks of a fixed length and applying the encryptionalgorithm of Construction 5.18 independently to each message block (using thesame key but new randomness for each block). This procedure is akin to a‘randomized ECB mode’, in the sense that each message block is processedseparately, like in the ECB (Electronic Code Book) mode, but in our casethe underlying cipher is inherently randomized (since we use fresh random-ness for each block), so we can still achieve qCPA security. For simplicitywe consider only message lengths which are multiples of the chosen blocksize.The construction can be generalized to arbitrary message lengths using stan-dard padding techniques. Moreover, the randomness for every block can begenerated efficiently using a single random seed and a pqPRNG. .3. Quantum-Secure Secret-Key Encryption
Construction 5.19 ([GHS16, Construction 6.6]) . Let ( P , P − ) be a qPRPover X × R with key space K , where X and R are both of size superpolynomialin n . For a polynomial function ‘ , let M := X ‘ and C := ( X × R ) ‘ . Define E = E K , M , C := ( KGen , Enc , Dec ) as a SKES with key space K , plaintext space M , and ciphertext space C , in the following way:1. KGen → k , with k $ ←− K ;2. Enc k ( x k . . . k x ‘ ) → P k ( x k r ) k . . . kP k ( x ‘ k r ‘ ) ,where r i $ ←− R , ∀ i = 1 , . . . , ‘ ;3. Dec k ( y k . . . (cid:121) ‘ ) := P − ( y ) (cid:12)(cid:12)(cid:12) X k . . . kP − ( y ‘ ) (cid:12)(cid:12)(cid:12) X . Before proving the security of Construction 5.19, we need a technicallemma. Let us assume w.l.o.g. that X = { , } (cid:109) ( n ) , R = { , } (cid:114) ( n ) for poly-nomial functions (cid:109) and (cid:114) , so that C = { , } ‘ · ( (cid:109) + (cid:114) ) . Lemma 5.20 ([GHS16, Lemma 6.7]) . Let Φ be the quantum channel that takesas input an arbitrary (cid:109) -qubit state, attaches other (cid:114) qubits in state | i , andthen applies a permutation picked uniformly at random from S ( { , } (cid:109) + (cid:114) ) tothe computational basis space. Let Ψ be the constant quantum channel whichmaps any (cid:109) -qubit state to the totally mixed state τ := I (cid:109) + (cid:114) on (cid:109) + (cid:114) qubits.Then, k Φ − Ψ k (cid:5) ≤ − (cid:114) +2 .Proof. In order to consider the fact that the (cid:109) -qubit input state might beentangled with something else, we have to start with a purification of sucha state. This is a bipartite pure 2 (cid:109) -qubit state | ϕ i XY = P x,y a x,y | x i X | y i Y whose (cid:109) -qubit Y register is input into the channel and gets transformed into I X ⊗ Φ( | ϕ ih ϕ | ) = tr Z | ψ ih ψ | , where: | ψ i := X x ∈{ , } (cid:109) ,y ∈{ , } (cid:109) , (cid:112) ∈ S ( { , } (cid:109) + (cid:114) ) a x,y | x i X | (cid:112) ( y k . . . i C | π i Z . By definition of the diamond norm, we have to show that for any 2 (cid:109) -qubitstate ρ , we have that k ( I ⊗ Φ)( ρ ) − ( I ⊗ Ψ)( ρ ) k tr ≤ − (cid:114) +2 . Due to the convexityof the trace distance, we may assume that ρ = | ϕ ih ϕ | is pure with | ϕ i XY = P x,y a x,y | x i X | y i Y . Hence, we obtain:( I X ⊗ Φ)( | ϕ ih ϕ | ) = tr Z | ψ ih ψ | = 12 (cid:109) + (cid:114) ! X x,x ,y,y , (cid:112) a x,y a x ,y | x ih x | x X ⊗ | (cid:112) ( y k . . . i h (cid:112) ( y k . . . | C = 12 (cid:109) + (cid:114) ! X x,x ,y a x,y a x ,y | x ih x | x X ⊗ X (cid:112) | (cid:112) ( y k . . . i h (cid:112) ( y k . . . | C + 12 (cid:109) + (cid:114) ! X x,x ,y = y a x,y a x ,y | x ih x | x X ⊗ X (cid:112) | (cid:112) ( y k . . . i h (cid:112) ( y k . . . | C Chapter 5. QS2: Quantum (Superposition-Based) Security = X x,x ,y a x,y a x ,y | x ih x | x X ⊗ (cid:109) + (cid:114) X z | z ih z | z C + X x,x ,y = y a x,y a x ,y | x ih x | x X ⊗ (cid:109) + (cid:114) (2 (cid:109) + (cid:114) − X z = z | z ih z | z C = tr Y | ϕ ih ϕ | ⊗ τ C + χ XC = ( I X ⊗ Ψ)( | ϕ ih ϕ | ) + χ XC , where we defined the ‘difference state’: χ XC := X x,x ,y = y a x,y a x ,y | x ih x | X ⊗ (cid:109) + (cid:114) (2 (cid:109) + (cid:114) − X z = z | z ih z | C . In order to conclude, it remains to show that k χ XC k tr ≤ − (cid:114) +2 . For the C -register χ C = (cid:109) + (cid:114) (2 (cid:109) + (cid:114) − P z = z | z ih z | C , one can verify that the 2 (cid:109) + (cid:114) eigen-values are ( λ · (2 (cid:109) + (cid:114) − , − λ, − λ, . . . , − λ ) where λ := (cid:109) + (cid:114) (2 (cid:109) + (cid:114) − . Hence,the trace norm (which is the sum of the absolute eigenvalues) is exactly λ · (cid:109) + (cid:114) −
1) = 2 − (cid:109) − (cid:114) +1 .For the X -register, we split χ X into two parts χ X = ξ X − ξ X where: ξ X := X x,x | x ih x | X y,y a x,y a x ,y ; ξ X := X x,x | x ih x | X y a x,y a x ,y , and use the triangle inequality for the trace norm k χ X k tr = k ξ X − ξ X k tr ≤k ξ X k tr + k ξ X k tr . Observe that k ξ X k tr = k P x,y a x,y | x i P x ,y a x ,y h x | k tr = k | s ih s | k tr for the (non-normalized) vector | s i := P x,y a x,y | x i . Hence, thetrace norm k ξ X k tr = | h s | s i | = P x | P y a x,y | ≤ P x P y | a x,y | · (cid:109) = 2 (cid:109) by theCauchy-Schwarz inequality and the normalization of the a x,y ’s. Furthermore,we note that ξ X is exactly the reduced density matrix of | ϕ i XY after tracingout the Y register. Hence, ξ X is positive semi-definite and its trace norm isequal to its trace which is 1. In summary, we have shown that: k χ XC k tr = k χ X k tr · k χ C k tr ≤ ( k ξ X − ξ X k tr ) · − (cid:109) − (cid:114) +1 ≤ ( k ξ X k tr + k ξ X k tr ) · − (cid:109) − (cid:114) +1 ≤ (2 (cid:109) + 1) · − (cid:109) − (cid:114) +1 ≤ − (cid:114) +2 . If we consider a slightly different encryption channel Φ T which still maps (cid:109) qubits to (cid:109) + (cid:114) qubits but where the permutation (cid:112) is not picked uni-formly from the whole set S ( { , } (cid:109) + (cid:114) ), but instead we are guaranteed that acertain subset T ⊂ { , } (cid:109) + (cid:114) of outputs never occurs in these permutations,we can see such permutations as picked uniformly at random from a smallerset S ( { , } (cid:109) + (cid:114) \ T ). In this setting, we are interested in the distance of the .3. Quantum-Secure Secret-Key Encryption T from the slightly differentconstant channel Ψ T which maps all inputs to the ( (cid:109) + (cid:114) )-qubit state τ T which is completely mixed on the smaller set { , } (cid:109) + (cid:114) \ T of basis elements.The set T represents ‘forbidden’ values that the encryption algorithm doesnever produce if we assume certain conditions on the randomness used. Thistechnique will be used in the proof of the next theorem. By modifying slightlythe proof of Lemma 5.20 we get the following. Corollary 5.21 ([GHS16, Corollary 6.8]) . Let Φ T , Ψ T be quantum channelsdescribed as above. Then: k Φ T − Ψ T k (cid:5) ≤ (cid:114) − | T | / (cid:109) . (5.2)We can now prove the qIND-qCPA security of Construction 5.19. Theorem 5.22 ([GHS16, Theorem 6.9]) . Let E be the SKES from Construc-tion 5.19 implemented through a (weak) qPRP family ( P , P − ) . Then E in aqIND-qCPA SKES.Proof. We want to show that no
QPT adversary can win the qIND-qCPA gamewith probability substantially better than guessing. We first transform thegame through a short game-hopping sequence into a computationally equiv-alent game for which we can bound the success probability of the quantumdistinguisher D . Game : this is the original qIND-qCPA game. Game : this is like Game , but instead of using a permutation drawnfrom the qPRP family P , a random permutation (cid:112) ∈ S ( { , } (cid:109) + (cid:114) ) is chosenfrom the set of all permutations over { , } (cid:109) + (cid:114) . The difference in the successprobability of D winning one or the other of these two games is negligible,otherwise, we could use D to distinguish a random permutation drawn from P from one drawn from S ( { , } (cid:109) + (cid:114) ). This would contradict the assumptionthat P is a qPRP. Game : this is like Game , but D is guaranteed that the randomness usedfor each encryption query are ‘ new random (cid:114) -bit strings that were not usedbefore. In other words, the challenger keeps track of all random values usedso far and excludes those when sampling a new randomness. Since in Game the same randomness is sampled twice only with negligible probability, theprobabilities of winning these two games differ at most negligibly. Game : this is like Game , except that the answer to each query askedby D also contains the randomness r , . . . , r ‘ used by the challenger for an-swering that query. Clearly, D ’s probability of winning this game is at leastthe probability of winning Game .24 Chapter 5. QS2: Quantum (Superposition-Based) Security
When
Game starts, the qIND message generator M (where A = ( M , D )is the qIND adversary as in Definition 5.11) chooses two different plaintextstates. One of them is chosen at random and sent back encrypted with freshrandomness values ˆ r , . . . , ˆ r ‘ . Let Q denote the set of q · ‘ = poly ( n ) queryvalues used during the previous q queries to | Enc k i in the first learning qCPA-phase. We have to consider that from this phase, D knows a set T ⊂ { , } (cid:109) + (cid:114) of ‘taken’ outputs (ciphertexts), i.e., he knows that any (cid:112) ( x k ˆ r i ) will not takeone of these values, as ˆ r i has not been used before. So, from the adversary’spoint of view, (cid:112) is a permutation randomly chosen from S , the set of thosepermutations over { , } (cid:109) + (cid:114) that fix these | T | values. In order to simplify theproof, we will consider a very conservative bound where | T | = q · ‘ · (cid:109) , and thesize of S is | S | = (2 (cid:109) + (cid:114) − | T | )!. Notice that this bound is very conservativebecause it assumes that the adversary learns 2 (cid:109) different (classical) ciphertextsfor each one of the q · ‘ ‘taken’ randomness values but, as we will see, thisknowledge is still insufficient to win the game.By construction, the encryption of an ( ‘ · (cid:109) )-qubit (possibly mixed) state ρ is performed in ‘ separate blocks of (cid:109) qubits each. We are guaranteed thatfresh randomness is used in each block, hence it follows from Corollary 5.21that Enc k ( ρ ) is negligibly close to the ciphertext state where the first (cid:109) + (cid:114) qubits are replaced with the completely mixed state (by noting that | T | (cid:109) = (cid:109) · q is polynomial in n in our case, and hence the right-hand side of (5.2)is negligible). Another application of Corollary 5.21 gives negligible distanceto the ciphertext state where the first 2( (cid:109) + (cid:114) ) qubits are replaced with thecompletely mixed state, etc. After ‘ applications of Corollary 5.21, we haveshown that Enc k ( ρ ) is negligibly close to the totally mixed state on ‘ ( (cid:109) + (cid:114) )qubits. As this argument can be made for any plaintext state ρ , we have shownthat, from D ’s point of view, all encrypted states have negligible distance fromthe totally mixed state, and therefore cannot be distinguished. This holdsregardless of any additional query during the second qCPA phase, because apolynomial number of such queries cannot change this distance by more thana negligible amount. Corollary 5.23 ([GHS16, Theorem 6.9]) . Let E be the SKES from Construc-tion 5.18 implemented through a (weak) qPRP family ( P , P − ) . Then E in aqIND-qCPA SKES. Notice how the security of Constructios 5.18 and 5.19 does not require strong qPRPs. The reason is that, even if we are considering type-(2) trans-formations (which could be used to compute (cid:112) − ), these transformations arenever implemented directly by the adversary, but only evaluated as oracles.And since we only consider CPA quantum oracles here, and not CCA, theadversary is never granted access to the decryption oracle. Hence, (cid:112) − is .3. Quantum-Secure Secret-Key Encryption would require strong qPRPs. Weak Quantum Indistinguishability
Before providing further results related to the qIND notion, we introduce herea slight relaxation of qIND which might be of use in certain contexts whichwe explain in this section. The idea is to restrict the power of the adversaryin the qIND notion, by only allowing quantum states of a certain form for theqIND challenge phase. This notion was originally introduced in [GHS16] as‘qIND’ but, as already mentioned at the beginning of this section, we relabel itas ‘wqIND’ (where ‘w’ stands for ‘weak’) for consistency with our framework.We start by defining the ‘restricted’ quantum states which can be used bythe adversary in the new security notion.
Definition 5.24 (Classical Description of Quantum States) . A classical de-scription of a quantum state ρ is a (classical) bit string Dsc ( ρ ) describing aquantum circuit which (takes no input but starts from a fixed initial state | i and) outputs ρ . We deviate here from the traditional meaning of ‘classical description’referring to individual numerical entries of the density matrix. The reason isthat Definition 5.24 also covers the cases where those numerical entries are noteasily computable, as long as we can give an explicit constructive procedurefor that state. Clearly, every pure quantum state | ϕ i has a classical descriptiongiven by a description of the quantum circuit which implements the unitarythat maps | i to | ϕ i . The classical description of a mixed state ρ A is given bythe circuit which first creates a purification | ϕ i AR of ρ A and then only outputsthe A register. Note that a state admitting a classical description cannot beentangled with any other system. We say that a state has an efficient classicalrepresentation if it has a classical representation, and such representation hasa bit size at most polynomial in some security parameter n . In this case,we assume the existence of a (fixed, public, canonical) QPT algorithm
Qbuild which, given as input a classical description of a quantum state, outputs thatstate, i.e.,
Qbuild ( Dsc ( ρ )) → ρ (the notation for the output is probabilistic,because ρ could be a mixed state, i.e., a distribution on pure states).In classical models, there is no difference between sending a description of amessage or the message itself. In the quantum world, there is a big differencebetween these two cases, as the latter allows the adversary A to establishentanglement of the message(s) with other registers. This is not possiblewhen using classical descriptions. It might intuitively appear that the moregeneral model considered for the qIND notion is more natural. However, theabove scenario models the case where A is well aware of the message thatis encrypted, but the message is not constructed by A himself. Giving A the ability to choose the challenge messages for the qIND game models the26 Chapter 5. QS2: Quantum (Superposition-Based) Security worst case that might happen: A knows that the ciphertext he receives is theencryption of one out of the two messages that he can distinguish best. Thisclosely reflects the intuition behind the classical IND notion: in that game, theadversary is allowed to send the two messages not because in the real world hewould be allowed to do so, but because we want to achieve security even forthe best possible choice of messages from the adversary’s perspective. Hence,the model using classical descriptions of quantum states is a valid alternative. Experiment 5.25 ( Game wqIND − qCPA E , A ) . Let E be a SKES, and A := ( M , D ) aqIND adversary. The wqIND-qCPA experiment proceeds as follows: Input: n ∈ N k ← KGen ( Dsc ( ϕ ) , Dsc ( ϕ ) , σ ) ← M | Enc k i (2) b $ ←− { , } ϕ b ← Qbuild ( Dsc ( ϕ b )) ψ ← | Enc k i (2) ( ϕ b ) b ← D | Enc k i (2) ( ψ, σ ) if b = b then Output: else Output: The advantage of A is defined as: Adv wqIND − qCPA E , A := Pr h Game wqIND − qCPA E , A → i − . Definition 5.26 (Weak Quantum Indistinguishability of Ciphertexts UnderQuantum Chosen Plaintext Attack (wqIND-qCPA)) . A SKES E has weaklyquantum indistinguishable encryptions under quantum chosen plaintext at-tack (or, it is wqIND-qCPA secure) iff, for any qIND adversary A it holds: Adv wqIND − qCPA E , A ≤ negl . Clearly, qIND-qCPA is at least as strong as wqIND-qCPA, because quan-tum states admitting an efficient classical description (used in wqIND) arejust a special case of arbitrary quantum plaintext states (used in qIND).
Theorem 5.27 ([GHS16, Theorem 3.3]) . If a SKES is qIND-qCPA secure,then it is also wqIND-qCPA secure.
Corollary 5.28 (qIND = ⇒ wqIND) . If a SKES is qIND secure, then it isalso wqIND secure.
Finding a separation between wqIND and qIND is an open problem, asexplained in [GHS16]. Morally, the notion wqIND-qCPA should lie somewherebetween IND-qCPA and qIND-qCPA, because it covers indistinguishability formessages which are not necessarily classical, but not arbitrarily quantum. The .3. Quantum-Secure Secret-Key Encryption ‘allowingthe adversary to send plaintexts to the challenger is equivalent to the factthat indistinguishability must hold even for the most favorable case from theadversary’s perspective’ . Such an argument does not hold anymore quantumly.In fact, the qIND model presents the following issues:1. it allows entanglement between the adversary and the IND challenger: A could prepare a state of the form ρ AB = √ | i + √ | i , sending ρ A as a plaintext but keeping ρ B ; and2. it allows the adversary to create certain non-reproduceable states. Forexample, consider the state | ψ i = P x ∈X √ |X | | x, (cid:104) ( x ) i , where (cid:104) is acollision-resistant hash function. A could measure the second register,obtaining a random outcome y , and knowing therefore that the remain-ing state is the superposition of the preimages of y , i.e.: | ψ y i = X x ∈X : (cid:104) ( x )= y p | { x ∈ X : (cid:104) ( x ) = y } | | x i . A could then use | ψ y i as a plaintext in the challenge phase, but notethat A cannot reproduce | ψ y i for a given value y .Both of the above examples highlight adversary capabilities which might beconsidered unreasonably strong in certain scenarios. Entanglement between A and the IND challenger C represents a sort of ‘quantum watermarking’ ofmessages, which goes beyond what a meaningful notion of indistinguishabilityshould achieve. Knowledge of intermediate, unpredictable measurements alsorenders A too powerful, because it gives A access to information not availableto C itself; e.g., in the example above C would not even know the value of y . As it is C who prepares the state to be encrypted by running Qbuild , it isreasonable to assume that it is C who should know these intermediate mea-surements, not A . In the example above, what A could see instead (providedhe knows the circuit generating the state, as we assume in wqIND) is that theplaintext is a mixture Ψ = P y ψ y for all possible values of y .The possibility offered by qIND of allowing the adversary to play the INDgame with arbitrary states is certainly elegant from a theoretical point of view,but from the perspective of the quantum security of the kind of schemes we areconsidering, it is sometimes useful to consider the restricted notion wqIND,because it inherently provides guidelines and reasonable limitations on whata quantum adversary can or cannot do. Also, wqIND is often easier to dealwith: notice that in such a model, unlike in the qIND model, A always receivesback an unentangled state from a challenge query. In security reductions, this28 Chapter 5. QS2: Quantum (Superposition-Based) Security means that we can more easily simulate the challenger, and that we do nothave to take care of measures of entanglement when analyzing the propertiesof quantum states - for example, indistinguishability of states can be shownby only resorting to the trace norm instead of the more general diamond norm as in the proof of Theorem 5.23.Finally, it is important to notice that it is actually unclear whether a sep-aration between qIND and wqIND can be found at all in the realm of classicalencryption schemes. In fact, all the positive results present in [GHS16] holdfor the more general qIND notion, while the impossibility result we present inSection 5.3 holds for both qIND and wqIND.
Quantum Semantic Security
In this section, we discuss notions of semantic security in QS
2. All of themhave been presented before in [GHS16]. We start by defining a semanticsecurity equivalent of IND-qCPA, called
SEM-qCPA . This is just the usualnotion of SEM, augmented by giving to the adversary qCPA capabilities. Inorder to not overload notation, we refer to ‘adversary’ and ‘simulator’ simplyas
QPT versions of the
PPT algorithms from Definition 3.14.
Definition 5.29 ([GHS16, Definition 4.1]) . A SKES E is semantically secureunder quantum chosen plaintext attack (or, it is SEM-qCPA secure) iff, forany QPT adversary A there exists a QPT simulator S such that, for everyefficiently computable (cid:102) , (cid:104) : { , } ∗ → { , } ∗ polynomially bounded in theinput bit size, for every probability ensemble M := ( M n ) n , where M n areprobability distributions over X n with |M n | = poly ( n ) , such that: (cid:12)(cid:12)(cid:12) Pr h Game
SEM E , A | Enc k i ( M , (cid:102) , (cid:104) ) → i − Pr h Game
SEM ∗E , S | Enc k i ( M , (cid:102) , (cid:104) ) → i(cid:12)(cid:12)(cid:12) ≤ negl , where k ← KGen is the secret key generated during the experiments, and theprobabilities are taken over the randomness of A , E , M , S . Unsurprisingly, the above notion is equivalent to IND-qCPA. The proofis a straightforward modification of Theorem 3.21 by also accounting for thequantum CPA queries.
Theorem 5.30 ([GHS16, Theorem 5.1]) . A SKES is IND-qCPA secure iff itis SEM-qCPA secure.
We might ask what happens if the above definition is strenghtened byproviding the adversary (and the simulator) quantum advice, instead of aclassical advice (cid:104) ( x ) for some plaintext x . The following two cases appear. • We might replace the classical function (cid:104) with a unitary operator U which, acting on a basis element | x i for a (classical) plaintext x , pro-duces a quantum advice state | ξ i . The resulting security notion is called .3. Quantum-Secure Secret-Key Encryption quantum advice semantic security under quantum chosen plaintext at-tack (qaSEM-qCPA) [GHS16, Definition D.1], and it turns out to bemeaningless, because trivially achievable by any SKES. The reason isthat a unitary U can always be inverted as U † by both adversary and simulator. Both of them are then able to recover the plaintext given thequantum advice. • To fix the above problem, we might allow more general quantum circuits U that can somehow provide non-reversible information, for exampleby applying some partial measurement at the end, or by providing A (resp. S ) only with some output qubits, while tracing out the others.Towards this end let U be an arbitrary quantum circuit (the advicecircuit ) that takes as input a basis element | x i and a quantum state ρ provided by A (resp. S ) (that includes possibly needed auxiliaryregisters), and computes a (possibly mixed) quantum advice state ξ .The resulting security notion is called ideal quantum advice semanticsecurity under quantum chosen plaintext attack (iqSEM-qCPA) [GHS16,Definition D.2], and it turns out to be equivalent to IND-qCPA. Thereason is that the proof in Theorem 5.30 only uses the advice functionto transmit classical information, and therefore iqSEM-qCPA can bereduced to IND-qCPA.It seems therefore that introducing quantum advice states is not mean-ingful as long as the messages are still classical. We proceed now insteadto present a quantum security notion equivalent to the wqIND-qCPA notion.First of all, we redefine the meaning of quantum SEM adversary and simulator. Definition 5.31 (Quantum SEM Adversary, Quantum SEM Simulator) . Let E := E K , X , Y be a SKES, and H (cid:102) , H (cid:104) two Hilbert spaces of appropriate dimen-sion (exponential in the security parameter). A quantum SEM adversary A for E is a QPT algorithm A : D ( H Y ) × D ( H (cid:104) ) → D ( H (cid:102) ) . A quantum SEMsimulator S for E is a QPT algorithm S : D ( H (cid:104) ) → D ( H (cid:102) ) . The wqSEM notion is given by replacing classical functions (cid:102) and (cid:104) withquantum CPTP maps Σ , Ξ, which are quantum circuits taking as input (cid:109) -qubit quantum states (where (cid:109) is the bit size of plaintexts, polynomial in n )and outputting poly ( (cid:109) )-qubit quantum states. The idea is that, since we areusing quantum states with efficient classical representations, we can samplesome classical randomness once, and reuse it with Qbuild to create many copiesof the same plaintext state.
Experiment 5.32 ( Game wqSEM E , A ) . Let E be a SKES, and A a quantum SEMadversary. The wqSEM experiment proceeds as follows: Input: n ∈ N , CPTP maps Σ , Ξ with (cid:109) -qubit input and poly ( (cid:109) ) -qubitoutput, M := ( M n ) n , where M n are probability distributions over a fam-ily of randomness spaces ( R n ) n ,with |M n | = poly ( n )30 Chapter 5. QS2: Quantum (Superposition-Based) Security k ← KGen r ← M n ϕ ← Qbuild ( r ) . Qbuild is invoked with randomness r ψ ← | Enc k i (2) ( ϕ ) ϕ ← Qbuild ( r ) . a second copy of ϕ is generated, using the same r ξ ← Ξ( ϕ ) . this is the quantum advice state σ ← A ( ψ, ξ ) if σ is computationally indistinguishable from Σ( ϕ ) then Output: else Output:
QPT algorithm D with outputs in { , } (a quantum distinguisher), the prob-ability that the output differs on the two states given as input is negligible’.As usual, a third copy of ϕ (to be processed by Σ) can be generated using thesame randomness r and the Qbuild algorithm.
Experiment 5.33 ( Game wqSEM ∗E , S ) . Let E be a SKES, and S a quantum SEMsimulator. The simulated wqSEM experiment proceeds as follows: Input: n ∈ N , CPTP maps Σ , Ξ with (cid:109) -qubit input and poly ( (cid:109) ) -qubitoutput, M := ( M n ) n , where M n are probability distributions over a fam-ily of randomness spaces ( R n ) n ,with |M n | = poly ( n ) k ← KGen r ← M n ϕ ← Qbuild ( r ) ξ ← Ξ( ϕ ) σ ← S ( ξ ) . S only gets the quantum advice, not the ciphertext if σ is computationally indistinguishable from Σ( ϕ ) then Output: else Output: Definition 5.34 (Weak Quantum Semantic Security (wqSEM)) . A SKES E is weakly quantumly semantically secure (wqSEM) iff, for any quantumSEM adversary A there exists a quantum SEM simulator S such that, forevery CPTP maps Σ , Ξ with (cid:109) -qubit input and poly ( (cid:109) ) -qubit output, for everyprobability ensemble M := ( M n ) n with polynomial-size support over somerandomness space, it holds: (cid:12)(cid:12)(cid:12) Pr h Game wqSEM E , A ( M , Σ , Ξ) → i − Pr h Game wqSEM ∗E , S ( M , Σ , Ξ) → i(cid:12)(cid:12)(cid:12) ≤ negl , where the probabilities are taken over the randomness of A , E , M , S . .3. Quantum-Secure Secret-Key Encryption Definition 5.35 (Weak Quantum Semantic Security Under Quantum ChosenPlaintext Attack (wqSEM-qCPA)) . A SKES E is weakly quantumly seman-tically secure under quantum chosen plaintext attack (wqSEM-qCPA) iff, forany quantum SEM adversary A there exists a quantum SEM simulator S suchthat, for every CPTP maps Σ , Ξ with (cid:109) -qubit input and poly ( (cid:109) ) -qubit output,for every probability ensemble M := ( M n ) n with polynomial-size support oversome randomness space, it holds: (cid:12)(cid:12)(cid:12)(cid:12) Pr (cid:20) Game wqSEM E , A | Enc k i (2) ( M , Σ , Ξ) → (cid:21) − Pr (cid:20) Game wqSEM ∗E , S | Enc k i (2) ( M , Σ , Ξ) → (cid:21)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl , where the probabilities are taken over the randomness of A , E , M , S . The resulting wqSEM-qCPA notion is equivalent to wqIND-qCPA.
Theorem 5.36 ([GHS16, Theorem 5.4]) . A SKES is wqIND-qCPA secure iffit is wqSEM-qCPA secure.Proof.
The proof closely follows the one for Theorem 3.21, with some carefulmodifications. We prove the theorem by splitting it in two parts. wqIND − qCPA = ⇒ wqSEM − qCPA . Let A be an efficient quantumSEM adversary. We want to show that a quantum SEM simulator S exists,with roughly the same success probability as A , by exploiting the wqIND-qCPA security of the encryption scheme. The idea of the proof is to hand A ’scircuit as non-uniform advice to the simulator S . This is allowed, because A is a QPT adversary against the wqSEM-qCPA game, and hence A ’s circuithas a short classical representation. S can then build and run A ’s circuit,and simulate a qSEM-qCPA experiment for A by generating a new key andanswering all of A ’s queries using this key. When S performs his ‘real’ wqSEMchallenge query (using the challenge query generated by A ), he does not re-ceive back a valid ciphertext. However, S can generate a bogus ciphertext byencrypting (with his own key) the | . . . i basis element of the same size asthe original plaintext state. It follows from the indistinguishability of encryp-tions that A ’s success probability in this game must be negligibly close to itssuccess probability with a real ciphertext, otherwise A would be an efficientdistinguisher for the scheme E . wqSEM − qCPA = ⇒ wqIND − qCPA . Assume there exists an effi-cient wqIND-qCPA distinguisher D for the scheme E . Then we show howto construct a QPT algorithm A that has oracle access to D and breaks thewqSEM-qCPA security of the scheme, in the sense that no simulator S can dobetter than A . The construction works as follows: A starts the Game wqSEM E , A game, and then he runs D , emulating the quantum encryption oracle by simplyforwarding all the qCPA queries performed by D to its own oracle (the | Enc k i (2) oracle of the wqSEM-qCPA game). When D executes the wqIND challengequery by sending classical descriptions of two states ϕ and ϕ , A producesthe wqSEM template ( M , Ξ , Σ), with M such that Qbuild ( r ) outputs ϕ for32 Chapter 5. QS2: Quantum (Superposition-Based) Security half of the possible values r ← M and ϕ for the other half, Ξ is the constantmap outputting | . . . i , and Σ is the identity map Σ( ρ ) = ρ . Then A per-forms a qSEM challenge query with this template. Given challenge ciphertextstate | Enc k i (2) ( ϕ b ) (for b ∈ { , } ), A forwards it as an answer to D ’s wqINDchallenge query. As D distinguishes | Enc k i (2) ( ϕ ) from | Enc k i (2) ( ϕ ) with non-negligible success probability by assumption, D returns the correct value of b with non-negligible advantage over guessing. Then A , having recorded a copyof the classical descriptions of ϕ and ϕ , is able to create another copy of ϕ b through Qbuild and compute the state Σ( ϕ b ) exactly, and consequently winthe wqSEM-qCPA game with non-negligible advantage. However, as Ξ gen-erates the same (constant, useless) advice state | . . . i independently of theencrypted message, no simulator can do better than guessing the plaintext.This concludes the proof.In this work, we will not explicitly define a notion of quantum seman-tic security related to qIND. However, we will show in the next chapter howthe qIND notion is equivalent to the quantum indistinguishability notion Q-IND (introduced in [BJ15]) for quantum encryption schemes, when theseare obtained by implementing a classical SKES in unitary type-(2) mode.In [ABF + Impossibility Result
In this section we show how the qIND security notion cannot be achieved bya large class of SKESs: namely, all those schemes which do not substantiallyexpand the message during encryption. First we formally define what it meansfor a cipher to expand or keep constant the message size by defining the corefunction of a SKES. Intuitively, the definition splits the ciphertext into therandomness and a part carrying the message-dependent information. Thisdefinition covers most encryption schemes in the literature.
Definition 5.37 (Core Function [GHS16, Definition 6.1]) . Let E = E K , X , Y bea SKES, and let R be the randomness space of Enc . Let (cid:102) : K × R × X → Y be a function such that: • for all k ∈ K and for all x ∈ X , Enc k ( x ) can be written as ( r, (cid:102) ( k, r, x )) ,where r ∈ R is independent of the message; and • there exists a function (cid:103) such that for all k ∈ K , r ∈ R , x ∈ X it holds: (cid:103) ( k, r, (cid:102) ( k, x, r )) = x .Then, we call (cid:102) the core function of the encryption scheme. .3. Quantum-Secure Secret-Key Encryption Enc k ( x ) is defined as( r, F k ( r ) ⊕ x ) for a PRF F ) the core function would be (cid:102) ( k, r, x ) := F k ( r ) ⊕ x ,with associated (cid:103) ( k, r, z ) := z ⊕ F k ( r ). Definition 5.38 (Quasi–Length-Preserving Encryption [GHS16, Definition6.2]) . We call a SKES with core function (cid:102) quasi–length-preserving iff: ∀ x ∈ X , ∀ r ∈ R , ∀ k ∈ K = ⇒ | (cid:102) ( k, x, r ) | = | x | , i.e., the output of the core function has the same bit length as the plaintext. For example, Construction 3.26 is quasi–length-preserving.The crucial observation for our impossibility result is the following: fora quasi–length-preserving encryption scheme, the space of possible input and(core function) output bit strings (with respect to plaintext and ciphertext)coincide, therefore these ciphers act as permutations on these spaces. Thismeans that, if we start with an input state which is a superposition of all the possible basis states, all of them with the same amplitude, this statewill be left unmodified by the unitary type-(2) encryption operation (becausesuch operator will just ‘shuffle’ in the space of computational basis-statesamplitudes which are exactly the same).
Theorem 5.39 ([GHS16, Theorem 6.3]) . If a SKES is quasi–length-preserving,then it is not wqIND secure.Proof.
Let (
Gen , Enc , Dec ) be a quasi–length-preserving scheme. We give anexplicit, efficient distinguisher attack.1. For (cid:109) -bit message strings, the distinguisher D sets the two plaintextstates for the qIND- game to be: | ϕ i = H | m i , | ϕ i = H | m i , where H is the (cid:109) -fold tensor Hadamard transformation. Notice that both thesestates admit efficient classical representations, and are thus allowed inthe wqIND game.2. A random bit b is flipped, and the challenge ciphertext state | ψ i = | Enc k i (2) | ϕ b i is returned to D .3. D applies H to the core-function part of the ciphertext | ψ i and measuresit in the computational basis. D outputs 0 iff the outcome is 0 (cid:109) , andoutputs 1 otherwise.Notice that applying | Enc k i (2) to H | m i leaves the state untouched: sincethe encryption oracle merely performs a permutation in the basis space, andsince | ϕ i is a superposition of every basis element with the same amplitude,it follows that whenever b is equal to 0, the ciphertext state will be left un-changed. In this case, after applying the self-inverse transformation H again, D obtains measurement outcome 0 (cid:109) with probability 1.34 Chapter 5. QS2: Quantum (Superposition-Based) Security
Figure 5.2: Relations for semantic security notions in QS On the other hand, if b = 1, then | ϕ i = (cid:109) / P y ( − y · (cid:109) | y i where a · b denotes the bitwise inner product between a and b . Hence, | ϕ i is a superpo-sition of every basis element where (depending on the parity of y ) half of theelements have a positive amplitude and the other half have a negative one,but all of them will be equal in absolute value. Applying | Enc k i (2) to this stateresults in (cid:109) / P y ( − y · (cid:109) | Enc ( y ) i . After re-applying H , the amplitude of thebasis state | (cid:109) i becomes P y ( − y · (cid:109) + Enc ( y ) · (cid:109) = P y ( − k y k (where k y k is the Hamming weight of y ) which is 0. Hence, the probability for D of observing0 (cid:109) after the measurement is 0. This gives D a way of distinguishing betweenencryptions of the two plaintext states.Notice that the above attack works also against qIND, because of Theo-rem 5.27. In particular, Theorem 5.39 shows that Construction 3.26, which isIND-qCPA secure if the used PRF is quantum secure, does not fulfill qIND,nor wqIND. This attack is a consequence of the well-known fact [AMTdW00,BR03] that, in order to perfectly (information-theoretically) encrypt a singlequantum bit, two bits of classical information are needed: one to hide the ba-sis bit, and one to hide the phase (i.e., the signs of the amplitudes). The factthat we are restricted to quantum operations of the form | Enc k i (2) (that is,quantum instantiations of classical encryptions) means that we cannot affordto hide the phase as well, and this restriction allows for an easy distinguishingprocedure in the case of a quasi–length-preserving SKES.Summing up up, all the semantic security notions presented in this sectionare summarized in Figure 5.2. Quantum CCA
Finally, here we give a brief discussion about the possibility of extending the QS .3. Quantum-Secure Secret-Key Encryption Figure 5.3: Relations for SKES security notions in the quantum world.
The case of quantum CCA1 is straightforward for the classical IND case.The resulting IND-qCCA1 notion is just as the IND-qCPA notion, augmentedby a quantum CCA query before the classical IND query. This is modeled inthe security game by giving to the first stage IND adversary oracle access tothe quantum decryption oracle | Dec k i .The case of wqIND-qCCA1 and qIND-qCCA1 are also straightforward, asthe decryption queries only happen before the qIND query. It is just necessaryto define the type-(2) decryption oracle | Dec k i (2) , but this is trivial consideredthat | Dec k i (2) = | Enc k i † (2) . However, Construction 5.19 will require strongqPRPs in order to be secure under the new notion, as already discussed.The case of qCCA2, instead, is much more delicate. For the classical INDcase, [BZ13b] shows how to correctly define IND-qCCA2 (and how to achieveit), by carefully defining the decryption oracle after the IND query. For the‘fully quantum case’ qIND-qCCA2, however, it is unclear whether such a no-tion is even possible to define. The problem is that in the CCA2 game itis necessary to ensure that the adversary does not ask for a decryption ofthe challenge ciphertext, leading to a trivial break. While this is easily de-manded in the classical world, it raises several issues in the quantum world.What does it mean for a quantum ciphertext state to be different from thechallenge ciphertext? And, more importantly: how can the challenger check?There might be several reasonable ways to solve the first issue but, as longas the queries are not classical, it is not known how to solve the second issuewithout disturbing the challenge ciphertext and the query states. DefiningCCA2 security notions in the quantum world is an outstanding open prob-lem [GHS16, ABF + hapter QS3: Fully Quantum Security
In the previous chapters, we studied the security of classical cryptographicprimitives in different quantum scenarios. In this chapter, instead, we focuson the security of quantum cryptographic primitives, that is, cryptographicprimitives which are meant to be natively run on a quantum computing device.The quantum security class QS quantum data . Assuch, one can see QS QS QS QS security of cryptographic primitives whichnatively deal with quantum information , and this does not necessarily involvecomputation performed on some futuristic, fully-fledged quantum computer.As an example, quantum key distribution (QKD) [BB14] is a well-studiedarea in modern cryptography, where honest parties want to establish a sharedsecret by using quantum communication channels . As such, QKD perfectlyfits in the QS + quan-tum encryption (that is, cryptographic schemes meant to protect quantumdata), and then we will see an application by extending ORAMs to the casewhere the database to be protected is composed of quantum data. Remarkably, most often than not, the term ‘quantum cryptography’ is (incorrectly)used a synonym for ‘QKD’ in scientific literature.
Chapter 6. QS3: Fully Quantum Security
My Scientific Contributions in this Chapter
Regarding quantum encryption, most of the material from sections 6.1 and 6.2first appears in [ABF + In this section, we study the computational security of quantum encryptionschemes , that is, schemes which are meant to protect quantum data. In thissense, plaintexts and ciphertexts are pure quantum states from Hilbert spacesof appropriate dimension, or mixed states of such. In fact, the schemes de-scribed in this section are meant to work on arbitrary quantum states, eventhose who might be entangled with external systems, therefore it is crucial touse the density matrix formalism. Accordingly, (families of) classical plaintextand ciphertext spaces X and Y are replaced with quantum operator spaces D ( H X ) and D ( H Y ) respectively, where H X and H Y are (families of) complexHilbert spaces of dimension |X | = 2 (cid:109) and |Y| = 2 (cid:99) respectively, for functions (cid:109) and (cid:99) polynomial in the security parameter n .However, the encryption keys used will still be classical. This is actually afeature, as these schemes require for honest parties to be able to encrypt anddecrypt several times with the same keys, and classical keys can be stored andmanaged more easily. Definitions, and the Quantum One-Time Pad
We start by defining secret-key quantum encryption schemes (SKQES) , asintroduced in [ABF + K = ( K n ) n := { , } n , so that the key-length is n bits. Later, we will definean additional Hilbert space H Env (the environment space ) in order to modelauxiliary information used by some adversary. Encryption accepts a classicalkey and a quantum plaintext, and outputs a quantum ciphertext; decryptionaccepts a classical key and a quantum ciphertext, and outputs a quantumplaintext. The correctness guarantee is that plaintexts are preserved (up tonegligible error) under encryption followed by decryption under the same key.
Definition 6.1 (Secret-Key Quantum Encryption Scheme (SKQES)) . A se-cret-key quantum encryption scheme (SKQES) with plaintext space D ( H X ) ,ciphertext space D ( H Y ) , and (classical) key space K is a tuple of QPT algo-rithms E := E K , D ( H X ) , D ( H Y ) := ( KGen , QEnc , QDec ) :1. KGen : → K ; .1. Secret-Key Quantum Encryption QEnc : K × D ( H X ) → D ( H Y ) ;3. QDec : K × D ( H Y ) → D ( H X ) ;such that | QDec k ◦ QEnc k − I H X | (cid:5) ≤ negl for all k ← KGen . As usual, we denote by
QEnc k the action of QEnc on a specific, fixed key k ← KGen , and analogously for
QDec k . However, unlike in the case of Defini-tion 3.12, for simplicity we will omit the possibility that the decryption algo-rithm answers (a quantum analogue of) ⊥ to some decryption queries. Oneof the most basic examples of SKQES is the quantum one-time pad (QOTP) .The QOTP takes as input an n -qubit plaintext spaces and a 2 n -bit secretkey. Every pair of bits from the key selects one over four possible single-qubitPauli operators I , X, Y, Z as X (first bit) Z (second bit) . Thus, the secret key definesa sequence of n independent single-qubit Pauli operators, each of them to beapplied separately to each of the n qubits of the plaintext (that is, the key de-fines an element of the n -qubit Pauli group), resulting in the ciphertext. SincePauli operators are self-adjoint, decryption just applies the same procedure tothe ciphertext state. Construction 6.2 (Quantum One-Time Pad (QOTP)[AMTdW00, BR03]) . Let H X = H Y of dimension { , } n , and let K = { , } n . Define the quan-tum one-time pad (QOTP) on n qubits QOTP k := ( KGen , QEnc , QDec ) asthe SKQES with key space K , plaintext space D ( H X ) , and ciphertext space D ( H Y ) , defined as:1. KGen → k , with k $ ←− K ;2. QEnc k ( ϕ ) := P ( k ) ϕP ( k ) † ;3. QDec k ( ρ ) := P ( k ) ψP ( k ) † ,where P ( k ) := Q nj =1 X k j − j Z k j j ∈ P n , and k j is the j -th bit of k . Notice how two bits of key are needed for every qubit of plaintext. TheQOTP is known [AMTdW00, BR03] to be quantum information-theoreticallysecure, as long as the key is completely random and only used once.
Quantum Indistinguishability
We use a definition of computational quantum indistinguishability introducedin [BJ15], which we relabel here as QIND for our purposes (notice the capital‘Q’, unlike Definition 5.13), and which is the analogue of the classical INDnotion, by keeping in mind that a quantum adversary for a SKQES could tryto distinguish states that he has previously entangled with the environment.Intuitively, the adversary produces a tripartite system, composed of two plain-text states and an environment state. The environment state is passed to the40
Chapter 6. QS3: Fully Quantum Security second stage adversary, who also receives an encryption of one of the two otherstates, selected at random, while the other one is traced out. As usual, thegoal of the adversary is to guess which one of the two plaintext system wasselcted for encryption. Formally, we define the following.
Experiment 6.3 ( Game
QIND E , A ) . Let E be a SKQES, and A := ( M , D ) a QINDadversary as from Definition 5.11. The QIND experiment proceeds as follows: Input: n ∈ N k ← KGen ( ϕ , ϕ , σ ) ← M b $ ←− { , } ψ ← QEnc ( ϕ b ) trace out ϕ − b b ← D ( ψ, σ ) if b = b then Output: else Output: The advantage of A is defined as: Adv
QIND E , A := Pr h Game
QIND E , A → i − . Definition 6.4 (Indistinguishability of Quantum Ciphertexts (QIND)) . ASKQES E has indistinguishable quantum encryptions (or, it is QIND secure) iff, for any QIND adversary A it holds that: Adv
QIND E , A ≤ negl . Notice how this definition and the related experiment are exactly the sameas Experiment 5.12 and Definition 5.13, even the adversarial model is thesame as in the qIND case from Chapter 5. This is not incidental: historically,notions of computational indistinguishability for encrypted quantum stateshave been introduced in [BJ15] and [GHS16] as concurrent and independentworks (although [BJ15] was published earlier), but for different purposes andwith slightly different flavors. What we call here QIND was originally calledq-IND-CPA-2 in [BJ15] (minus the CPA part), while qIND was originallycalled ( C Qn e )-IND in [GHS16]. However, the former notion was given inthe context of fully homomorphic quantum encryption (which, according toour framework, belongs to the QS superposition-resistant quantum encryption (as we mean it inthe QS + QS
2) or ‘fully’ quantum encryption ( QS .1. Secret-Key Quantum Encryption QS must be quantum.Hence, without need of specifying further, we call the resulting notions QIND-CPA and QIND-CCA1. This is also useful in order to understand ‘at firstglance’ that we are talking about a QS Experiment 6.5 ( Game
QIND − CPA E , A ) . Let E be a SKQES, and A := ( M , D ) aQIND adversary. The QIND-CPA experiment proceeds as follows: Input: n ∈ N k ← KGen ( ϕ , ϕ , σ ) ← M QEnc b $ ←− { , } ψ ← QEnc ( ϕ b ) trace out ϕ − b b ← D QEnc ( ψ, σ ) if b = b then Output: else Output: The advantage of A is defined as: Adv
QIND − CPA E , A := Pr h Game
QIND − CPA E , A → i − . Definition 6.6 (Indistinguishability of Quantum Ciphertexts Under ChosenPlaintext Attack (QIND-CPA)) . A SKQES E has indistinguishable quantumencryptions under chosen plaintext attack (or, it is QIND-CPA secure) iff, forany QIND adversary A it holds: Adv
QIND − CPA E , A ≤ negl . Clearly, QIND-CPA is at least as strong as QIND.
Theorem 6.7 (QIND-CPA = ⇒ QIND) . If a SKQES is QIND-CPA secure,then it is also QIND secure.
However, the converse is not necessarily true. For example, the QOTP(Construction 6.2) is information-theoretically secure for random, unrelatedkeys, and thus it is also QIND. However, as in the classical OTP analogue,security is compromised if the same key is used more than once.
Theorem 6.8 (QIND = ⇒ QIND-CPA) . There exist SKQES which are QINDsecure, but not QIND-QCPA secure. Chapter 6. QS3: Fully Quantum Security
As usual, extending the above security notion to the QCCA1 case isstraightforward.
Experiment 6.9 ( Game
QIND − CCA1 E , A ) . Let E be a SKQES, and A := ( M , D ) aQIND adversary. The QIND-CCA1 experiment proceeds as follows: Input: n ∈ N k ← KGen ( ϕ , ϕ , σ ) ← M QEnc , QDec b $ ←− { , } ψ ← QEnc ( ϕ b ) trace out ϕ − b b ← D QEnc ( ψ, σ ) if b = b then Output: else Output: The advantage of A is defined as: Adv
QIND − CCA1 E , A := Pr h Game
QIND − CCA1 E , A → i − . Definition 6.10 (Indistinguishability of Quantum Ciphertexts Under Non-Adaptive Chosen Ciphertext Attack (QIND-CCA1)) . A SKQES E has in-distinguishable quantum encryptions under non-adaptive chosen ciphertextattack (or, it is QIND-CCA1 secure) iff, for any QIND adversary A it holds: Adv
QIND − CCA1 E , A ≤ negl . As in the classical case, in a completely specular way to Theorems 3.31and 3.32, one can show that QIND-CCA1 is strictly stronger than QIND-CPA.
Theorem 6.11 (QIND-CCA1 = ⇒ QIND-CPA) . If a SKQES is QIND-CCA1 secure, then it is also QIND-CPA secure.
Theorem 6.12 (QIND-CPA = ⇒ QIND-CCA1) . There exists a SKQESwhich is QIND-CPA secure, but not QIND-CCA1 secure.
Secure Construction
QIND-CCA1 secure SKQES can be constructed given the existence of pqPRF(and hence from pqOWF, as from Corollary 4.15), as shown in [ABF + .1. Secret-Key Quantum Encryption Construction 6.13 ([ABF +
16, Scheme 1]) . Let F : K × { , } n → { , } n be a pqPRF as from Definition 4.13, and let H X be a complex Hilbert spaceof dimension n . Define E = E K , D ( H X ) , D ( H X ) := ( KGen , QEnc , QDec ) as theSKQES with key space K , plaintext and ciphertext space D ( H X ) , as follows:1. KGen → k , with k $ ←− K ;2. QEnc k ( ϕ ) → ψ ⊗ | r ih r | , with ψ := QOTP F k ( r ) ( ϕ ) , where r $ ←− { , } n ;3. QDec k ( ρ ) → QOTP F k ( s ) ( σ ) , where s is obtained by measuring the last n qubits of ρ , while σ is the reduced state left after such a measurement. The above construction is QIND-CCA1 secure.
Theorem 6.14 ([ABF +
16, Lemma 14]) . Let E be the SKQES from Construc-tion 6.13 built using a pqPRF F . Then E is QIND-CCA1 secure.Proof. First, we analyze the security of the scheme in an idealized scenariowhere F is replaced by a function (cid:102) : { , } n → { , } n selected truly atrandom. We show that, in this case, A correctly guesses the challenge state inthe QIND-CCA1 game with probability at most + negl . In fact, this boundholds for a stronger adversary A ∗ , who has access to a classical oracle for (cid:102) prior to the challenge, and access to polynomially-many pairs ( r i , (cid:102) ( r i )) where r i $ ←− { , } n for 1 = 1 , . . . , q = poly ( n ), after the challenge. This adversary isstronger than A since it can simulate A by implementing the oracles Enc (cid:102) and
Dec (cid:102) using its (cid:102) oracles. Since the input r into (cid:102) in the challenge ciphertext isuniformly random, the probability that any of the polynomially-many oraclecalls of A ∗ uses the same r is negligible. In the case that no oracle calls use r ,the mixtures of the inputs to A ∗ (including the pairs ( r i , (cid:102) ( r i ))) are the samefor any of the two original challenge states. This fact can be verified by firstaveraging over the values of (cid:102) ( r ): since (cid:102) is uniformly random, (cid:102) ( r ) is alsouniformly random as well as independent of the other values of (cid:102) . In bothcases, applying the quantum one-time pad results in the state:12 n I ⊗ | r ih r | ⊗ σ ⊗ | r ih r | ⊗ | (cid:102) ( r ) ih (cid:102) ( r ) | ⊗ · · · ⊗ | r q ih r q | ⊗ | (cid:102) ( r q ) ih (cid:102) ( r q ) | , where σ is the state in the ‘environment register’ of A ∗ (communication chan-nel in Experiment 6.9), and hence indistinguishability follows.Next, we consider the case that (cid:102) is replaced by a post-quantum pseudoran-dom function F k for a random key k . We show that a successful QIND-CCA1adversary A (i.e., one that distinguishes challenges with probability at least + ε for non-negligible ε ) can be used to construct a successful adversary B forthe pqPRF, i.e., one that distinguishes F k from random with non-negligibleadvantage over guessing. The adversary B is a QPT algorithm with classicaloracle access to a function (cid:104) : { , } n → { , } n , and his goal is to output 044 Chapter 6. QS3: Fully Quantum Security if (cid:104) is selected perfectly at random, and 1 if (cid:104) = F k for some k . Define thesimulated oracles: QEnc (cid:104) : ϕ QOTP (cid:104) ( r ) ( ϕ ) ⊗ | r ih r | for r $ ←− { , } n ; and QDec (cid:104) : ψ ⊗ | r ih r | 7→ QOTP (cid:104) ( r ) ( ψ ) , where, as before, we assume that QDec (cid:104) measures the second register beforedecrypting the first one. Note that if (cid:104) = F k then these are exactly theencryption and decryption oracles (with key k ) of the real SKQES scheme.The algorithm B proceeds as follows. First, it executes A , and replies to A ’s encryption queries with QEnc (cid:104) and to A ’s decryption queries with QDec (cid:104) .When A performs the QIND challenge query with plaintext states ϕ and ϕ , B replies with the encryption of either of the two, each with probability , and traces out the other one. Then B keeps answering A ’s encryptionqueries as before with his simulated oracle. If eventually A correctly guessesthe plaintext selcted by B , then B outputs 1; otherwise it outputs a randombit. If (cid:104) = F k then we have exactly simulated the QIND-CCA1 game withadversary A ; otherwise, B still correctly distinguishes the PRF from randomwith probability . So, the overall success probability of B is + ε , which isnon-negligible over guessing. This concludes the proof.Notice how the security of Construction 6.13 only relies on the post-quantum security of the PRF, in the QS Corollary 6.15 (of Theorem 6.14 and Corollary 4.15) . If pqOWF exist, thenQIND-CCA1 SKQES exist.
Another way to build secure SKQES is to rely on the security of some(classical) SKES in QS
2, and ‘lift’ the SKES construction to the QS QS
2) qIND and ( QS
3) QIND are basi-cally the same.
Theorem 6.16.
Let E = E K , X , Y := ( KGen , Enc , Dec ) be a SKES, and let E = E , D ( H X ) , D ( H Y ) := ( KGen , QEnc , QDec ) be a SKQES constructed as follows:1. KGen → k , with k ← KGen ;2.
QEnc k ( ϕ ) → | Enc k i (2) ϕ h Enc k | † (2) ;3. QDec k ( ψ ) → | Dec k i (2) ϕ h Dec k | † (2) , .2. Public-Key Quantum Encryption where | Enc k i (2) , | Dec k i (2) are type- (2) unitary operators associated to Enc , Dec .If E is qIND(-qCPA/qCCA1), then E is QIND(-CPA/CCA1).Proof (sketch). The proof follows from [GHS16, Appendix C], but it basicallyboils down to what already discussed after Definition 6.4. Namely, the exper-iments for qIND-qCCA1 and QIND-CCA1 are fundamentally the same, theonly difference is that in the qIND- version, encryption and decryption oraclesare specifically type-(2) operators derived from classical SKES. So the onlything left to show is that the scheme defined by such encryption/decryptionoperators as in the statement of the theorem is actually a SKQES. This istrivially shown by observing that:(
QDec k ◦ QEnc k ) ( ϕ ) = | Dec k i (2) | Enc k i (2) ϕ h Enc k | † (2) h Dec k | † (2) = ϕ so that QEnc and
QDec respect Definition 6.1.The above is a typical example of what discussed in
Reason of Sec-tion 5.1, about the necessity of superposition-based quantum security for com-position results in fully quantum scenarios. Notice in fact that in the abovetheorem it is crucial that E is a scheme secure in the QS E (in the QS When we move to the public-key scenario for quantum encryption schemes,intuitively we want the same kind of functionality offered by classical PKES,but with the possibility of encrypting arbitrary quantum states. As usual, weassume classical public/private key pairs ( pk , sk ), where w.l.o.g. we assumethat, for security parameter n , public keys are of bit size (cid:112) ( n ), while secretkeys are of bit size (cid:115) ( n ), for polynomial functions (cid:112) , (cid:115) . Under this notation, weidentify the keyspace K as ( K n ) n = ( K (cid:112) n ) n × ( K (cid:115) n ) n =: K (cid:112) × K (cid:115) ⊂ { , } (cid:112) ( n ) ×{ , } (cid:115) ( n ) . We define a quantum public-key encryption scheme (PKQES) asin [ABF + Definition 6.17 (Public-Key Quantum Encryption Scheme (PKQES)) . A public-key quantum encryption scheme (PKQES) with plaintext space D ( H X ) ,ciphertext space D ( H Y ) , and key space K := K (cid:112) × K (cid:115) is a tuple of QPT algorithms E := E K , D ( H X ) , D ( H Y ) := ( KGen , QEnc , QDec ) :1. KGen : → K ;2. QEnc : K (cid:112) × D ( H X ) → D ( H Y ) ;3. QDec : K (cid:115) × D ( H Y ) → D ( H X ) ; Chapter 6. QS3: Fully Quantum Security such that (cid:12)(cid:12)
QDec sk ◦ QEnc pk − I H X (cid:12)(cid:12) (cid:5) ≤ negl for all ( pk , sk ) ← KGen . For the security model, as usual, we use the same QIND indistinguisha-bility notion for SKQES, but recalling that (as explained in Section 3.3 forclassical SKES) in the public-key scenario the minimum meaningful securitynotion is QIND-CPA as from Definition 6.6.
Secure Construction
QIND-CPA secure PKQES can be constructed given the existence of pqOWTP,as shown in [ABF + X = { , } n .Then we define the following. Construction 6.18 (PKQES from pqOWTP) . Let P := ( Gen , Eval , Invert ) bea pqOWTP on X , with index and trapdoor spaces I and T respectively, andlet G P : X → X be the Goldreich-Levin PRNG for P (seen as a OWF withhard-core predicates). Define E = E K , D ( H X ) , D ( H X ⊗ ) := ( KGen , QEnc , QDec ) as a PKQES with (public,private) key space K = K (cid:112) × K (cid:115) (where K (cid:112) := I and K (cid:115) := T , plaintext space D ( H X ) , and ciphertext space D (cid:16) H X ⊗ (cid:17) , in thefollowing way:1. KGen → ( pk , sk ) , with ( pk , sk ) := ( i, t ) ← Gen ;2.
QEnc pk ( ϕ ) → ψ ⊗ | z ih z | ,with ψ := QOTP G P ( r ) ( ϕ ) and z ← Eval ( pk , r ) , where r $ ←− X ;3. QDec sk ( ρ ) → QOTP G P ( s ) ( σ ) ,with s ← Invert ( pk , sk , z ) , where z is obtained by measuring the last n qubits of ρ , while σ is the reduced state left after such a measurement. The above construction is a simplified version of [ABF +
16, Scheme 2], andit can be shown to be QIND-CPA secure.
Theorem 6.19 ([ABF +
16, Lemma 14]) . Construction 3.41 is a QIND-CPAsecure PKQES.Proof (sketch).
The proof is as in Theorem 3.42: recall that the QOTP isinformation-theoretically secure for independent keys sampled uniformly atrandom, and hence computationally secure for keys output by the pqPRNGin the construction here. Then, the only way for an adversary to attack .3. Quantum ORAM r by looking at the OWTPimage z obtained through Eval , but this is impossible because P is a pqOWTPfamily, and G P only outputs (post-quantum) hard-core bits. In this section we study quantum ORAMs (QORAM) , that is, ORAM con-structions operating on quantum data . This new cryptographic primitive de-fined in [GKK17] considers the same scenario as in the ORAM case, but whereall the parties have quantum computing and communication capabilities. Aswe will see, many difficulties arise in modeling this scenario.In the QORAM model, the client C and the server S are both QPT al-gorithms, sharing a quantum communication channel (quantum register) Ψ.Since such a quantum channel can also be used to share classical informa-tion, we assume without loss of generality that A and S also share a classicalchannel Ξ. In the following, if not otherwise stated, we will always assumethat all the classical communication between A and S happens through Ξ,and all the quantum communication happens through Ψ. In this scenario, acomputationally limited C wants to outsource a quantum database (QDB) tothe more powerful S , and perform operations on the QDB in a secure way, asin the ORAM case.We have first to define what it means to have a ‘quantum database’. Inour case, this will be a structure of quantum blocks . A quantum block is a n blk -qubit quantum state ψ ∈ D ( H n blk ) for a fixed parameter n blk ∈ N whichdepends on C ’s and S ’s architectures. A quantum database (QDB) of size n db ∈ N is a quantum register of S which stores n db quantum blocks. It isimportant to notice that we impose no restriction on the nature of the statesstored in the quantum blocks, i.e., these states could be mixed or entangled,amongst them or with states stored in other, external registers. As explainedin the preliminaries, in the following, for simplicity, we abuse notation anddenote such multipartite system with a tuple of quantum blocks ( ψ , . . . , ψ n db ).Since we assume this quantum register to reside on the server’s side, we willdenote it as S . | QDB i . As in the ORAM case, the precise way this system ofquantum blocks is represented in the quantum database is unspecified, andleft to the exact implementation of the QORAM scheme taken into account.As usual, we will abuse notation and write that S . | QDB i ( i ) = ψ if ψ is thestate obtained by tracing out all but the i -th subsystem of S . | QDB i , and that ψ ∈ S . | QDB i if S . | QDB i ( i ) = ψ for some i ∈ N .A quantum block encodes (usually in an encrypted form) a quantum dataunit , which is another quantum state representing the information that theclient actually wants to access or modify, and possibly additional (quantum orclassical) auxiliary information. Formally, a quantum data unit is a quantumstate ϕ ∈ D ( H n dat ) of n dat qubits, where n dat ≤ n blk depends on C ’s and48 Chapter 6. QS3: Fully Quantum Security S ’s architecture. As before, no assumption is made about the nature of thesequantum states. Every quantum block can encode a single quantum data unit,therefore at any given time t it is defined a CPTP map | QData i t : S . | QDB i → D ( H n dat ). With abuse of notation, we will denote by | QData i ( ψ ) the quantumdata unit encoded in the block ψ at a certain time. The client C can operateon the quantum database through quantum data requests . Definition 6.20 (Quantum Data Request) . A quantum data request to adatabase S . | QDB i of size n db is a tuple of the form | qdr i = ( op , i, ϕ ) , where op ∈ { read , write } , i ∈ { , . . . , n db } , and ϕ ∈ D ( H n dat ) is a quantum data unit( ϕ can also be |⊥i if op = read). Finally, we define the meaning of a quantum communication transcript during an execution of a QORAM protocol. As in the ORAM case, we willuse the following definition.
Definition 6.21 (Quantum Communication Transcript) . A quantum com-munication transcript | qcom i at time t is the content of the communicationregisters (Ξ , Ψ) at time t of the protocol’s execution. As in the ORAM case, in the following we will consider | qcom i as a discretefunction of the round 1 , , . . . of the protocol. Notice the following differencefrom the classical case: as this time C and S are also allowed to exchangequantum data through Ψ, it might not be possible for an adversary to obtaina full transcript of | qcom i without disturbing the protocol. We will addressthis issue in the next section about security.From now on, n blk and n dat will be fixed constants (the quantum block size ,and quantum data unit size , resp.) As in the classical case, we assume that aserver’s QDB is always initialized empty (that is, with randomized encryptionsof | . . . i as data), and it is left up to the client the task of ‘populating’ thedatabase. We are now ready to define a QORAM as follows. Definition 6.22 (QORAM) . Let n Max ∈ N , n msg ≥ n dat ∈ N , and E =( KGen , QEnc , QDec ) be a SKQES scheme mapping n msg -qubit plaintext statesto n blk -qubit ciphertext states. A QORAM (quantum oblivious random ac-cess machine)
QORAM E with parameters ( n Max , n dat , E ) is a pair of two-partyinteractive QPT algorithms ( QInit , QAccess ) , such that: • QInit ( n, n db ) → ( C , S ) in the following way:1. n is the security parameter, n db ≤ n Max ;2. k ← KGen ( n ) is generated by C ;3. S includes a QDB S . | QDB i = ( ψ , . . . , ψ n db ) ,where ∀ i = ⇒ ψ i ← QEnc k ( | ih | ) ; • QAccess ( C , S , | qdr i ) → ( C , S , | qcom i ) in the following way: .3. Quantum ORAM C issues a quantum data request | qdr i ;2. C and S communicate via (Ξ , Ψ) and produce the quantum commu-nication transcript | qcom i . The same considerations about soundness hold as in the classical case.
QORAM Security
We now look at the security model for QORAMs. As in the classical model,security will be given in terms of adaptive access pattern indistinguishability.Our threat model considers a quantum adversary A , which we identifyas S himself, and who wants to compromise C ’s privacy by having access tothe communication channel (Ξ , Ψ) and S ’s internal memory, but who is notallowed to modify the content of the channel against the soundness of theprotocol. Without loss of generality, we assume that the only meaningfulchanges in the database area S . | QDB i only happen between the beginning andthe end of a QAccess execution.As it often happens in the quantum world, there is a caveat here: itis unclear what a ‘honest-but-curious’ quantum adversary is. In fact, theproblem is even more general: we do not have a notion of ‘read-only’ forquantum channels, as the mere act of observing the data in transit throughΨ can destroy such data. For example, suppose that a quantum state ϕ issent through Ψ. Because of the No-Cloning Theorem, S cannot store a localcopy of ϕ ; at the same time, measuring ϕ in transit through Ψ without anyknowledge of such state, would disturb it with high probability. Therefore, itseems hard to justify the inclusion of the state ϕ in the adversarial view (the quantum access pattern ) of a honest-but-curious quantum adversary.Nevertheless, it is important to allow the adversary A to know some infor-mation about the quantum state ϕ . There are many reasons for this choice.First of all, remember that we are defining QORAMs in a very abstract andgeneral way, and the exact details of how the communication and storage ofquantum information works is left to the particular QORAM construction.For example, there might be constructions which only use quantum statesfrom a finite, fixed set of orthogonal states, or which only use subsets of quan-tum states admitting efficient classical representations (and encoding them ina classical way during the communication). Moreover, it might be possiblethat the adversary A at some point obtains access to some side-informationwhich allows him to know something about the content of the database or thedata transferred in a sound way, e.g., by applying some quantum operation orpartial measurement which does not disturb the state too much. As we needto cover all these possibilities, the option of not including at all the quantumdata in the access pattern would be too restrictive. On the other hand, theadversary A should not be able to modify too much (from C ’s point of view)50 Chapter 6. QS3: Fully Quantum Security any quantum state, as this would go beyond the notion of honest-but-curiousadversary usually considered in the ORAM scenario.We solve this issue by introducing a safe extractor . The intuition behindthis technique is to allow our adversary to extract any kind of (quantum)information he wants from a certain physical system, as long as such extractionis hardly noticeable by any other party . In this case we say that the action ofthe adversary on the physical system is computationally undetectable , meaningthat no
QPT algorithm can reliably distinguish whether a quantum operationtakes place or not by just looking at the processed quantum state, even inpresence of auxiliary information such as, e.g., additional entangled registers.More formally we define the following.
Definition 6.23 (Computational Undetectability of Quantum Action) . Let H Λ , H Σ , H Env be Hilbert spaces of dimension polynomial in n associated toquantum register Λ , Σ , Env respectively, and let ϕ Σ be an arbitrary quantumstate on register Σ . A quantum algorithm B : D ( H Λ ⊗ H Σ ) → D ( H Λ ⊗ H Σ ) acting on registers Λ and Σ has computationally undetectable action on ϕ Σ iff for any bipartite state ϕ Σ Env such that ( ϕ Σ Env ) Σ = ϕ Σ , and for any QPT algorithm D acting on registers Σ and Env and outputting or , it holds: (cid:12)(cid:12) Pr [ D ( ϕ Σ Env ) → − Pr (cid:2) D (cid:0) ( B ⊗ I H Env ) ( | ih | Λ ⊗ ϕ Σ Env ) Σ Env (cid:1) → (cid:3)(cid:12)(cid:12) ≤ negl . Definition 6.24 (Safe Extractor) . Let ϕ Σ ∈ D ( H Σ ) be the quantum statecontained in a quantum register Σ . A safe extractor for Σ in the state ϕ Σ isa QPT algorithm B with additional classical input x of size polynomial in n ,acting on Σ and outputting a quantum state ψ of qubit size polynomial in n ,and such that the action of B on ϕ Σ is computationally undetectable. Notice that Definition 6.24 depends on the state contained in the quantumregister considered. That is, B might be a safe extractor for a given quantumregister if that register is in a certain state, but not in a different one. Ofcourse one could define B to be a safe extractor for a register ‘tout-court’ if itis a safe extractor for any state of that register according to Definition 6.24,but this would considerably reduce the power of the adversary. Instead, thisdefinition allows the adversary to use B adaptively, only at certain points ofhis execution, when he knows that the action of B on the current state of theQORAM will be computationally undetectable. The additional classic inputto B serves a useful purpose here, as it can be seen as a way for the adversaryto communicate instructions to B about how to perform the extraction in asafe way (for example, A might encode a certain measurement basis throughthis classical input.) With abuse of notation, and without loss of generality,we will write ψ ← B ( | qcom i , S . | QDB i ) to denote that B performs the following: • as a classical input, B gets the classical part of a quantum communicationtranscript | qcom i (that is, the content of the classical channel Ξ) andadditional classical information by the adversary A ; .3. Quantum ORAM • B acts on the quantum registers Ψ and S . | QDB i ; • finally, B produces a quantum output ψ .The intuition of a safe extractor is that we need a way to formalize the(quantum or classical) information that an adversary is able to extract byobserving the changes in the quantum database and communication channel.However, we still require that such extraction does not lead to a meaningful de-viation from the ‘regular’ execution of the QORAM protocol. Computationalundetectability of quantum action is a strong guarantee, because if such ac-tion is undetectable, in particular it means that such action cannot modify theQORAM soundness. The converse does not hold: it might be the case that anadversary manipulates the quantum channel or database in such a way thatit is theoretically possible to detect this manipulation (for some distinguisher D ), but not for any QORAM client, and therefore the QORAM soundnesswould be still preserved. However, for our purposes the above restriction onthe power of the QORAM adversary is sufficient to define meaningful notionsof security, and it is analogous to the (classical) restriction of a honest-but-curious adversary in the ORAM case commonly used in the literature.More formally, we define a QORAM adversary as follows. Definition 6.25 (QORAM Adversary) . Let H | QDB i , H Ψ , H Λ be complex Hilbertspaces associated to quantum registers | QDB i (the quantum database), Ψ (thequantum communication channel) and Λ (the quantum access pattern regis-ter). A QORAM adversary is a
QPT algorithm A B with quantum oracle accessto a CPTP map B : Ξ × D (cid:16) H | QDB i ⊗ H Ψ (cid:17) → D ( H Λ ) , such that:1. B is a safe extractor for the joint register ( | QDB i , Ψ) for any of its statesduring any invocation of B by A ;2. A B is computationally indistinguishable from an honest server S forevery QORAM client C . As already discussed notice that, in the definition above, conditions 1 and 2are independent: if B is not a safe extractor during the execution, it meansthat there exists some quantum distinguisher D able to detect B ’s action onthe joint register ( | QDB i , Ψ), but A B might still remain indistinguishable froman honest server for any honest quantum client. On the other hand, A mightbe a misbehaving adversary which deviates ‘too much’ from the execution ofan honest server (and therefore might compromise the QORAM’s soundness),even if B behaves always as a safe extractor. For a meaningful notion ofsecurity akin to the QS quantum access patterns , as the outputs of thesafe extractor before and after the execution of a quantum data request.52 Chapter 6. QS3: Fully Quantum Security
Definition 6.26 (Quantum Access Pattern) . Given QORAM client and server C and S , a quantum data request | qdr i , and a QORAM adversary A = A B ,the quantum access pattern observed by A , denoted by | qap i A ( | qdr i ) , is thepair of quantum states ( ψ, ψ ) , where: • ψ ← B ( | qcom i , S . | QDB i ) ; • ( C , S , | qcom i ) ← QAccess ( C , S , | qdr i ) • ψ ← B ( | qcom i , S . | QDB i ) . Notice that, since the action of the safe extractor is computationally unde-tectable, running it on two consecutive quantum data requests does not allow,in any case, to clone arbitrary quantum states. We define the new securitygame as follows.
Experiment 6.27 ( Game
QAP − IND − CQAQORAM , A B ) . Let
QORAM = (
QInit , QAccess ) bea QORAM construction with parameters ( n Max , n dat , E ) , n a security param-eter and A = A B a QORAM adversary. The computational indistinguisha-bility of quantum access patterns under adaptive chosen query attack game Game
QAP − IND − CQAQORAM , A B proceeds as follows: Input: n ∈ N A → ( A , | qdr i , n db ≤ n Max ) ( C , S ) ← QInit ( n, n db ) loop for i = 1 , . . . , q ∈ N : . first quantum CQA phase QAccess ( C i − , S i − , | qdr i i ) → ( C i , S i , | qap i i ) A i − ( | qap i i , S i ) → ( A i , | qdr i i +1 ) A q ( | qdr i q +1 ) → ( A , | qdr i , | qdr i ) b $ ←− { , } Access ( C q , S q , | qdr i b ) → ( C q +1 , S q +1 , | qap i q +1 ) . QAP-IND challenge trace out the quantum data contained in | qdr i − b A ( ap q +1 , S q +1 ) → ( A q +1 , | qdr i q +2 ) loop for i = q + 2 , . . . , q ≥ q + 2 : . second quantum CQA phase Access ( C i − , S i − , | qdr i i ) → ( C i , S i , | qap i i ) A i − ( | qap i i , S i ) → ( A i , | qdr i i +1 ) A q ( | qdr i q +1 ) → b ∈ { , } if b = b then Output: else Output: The advantage of A is defined as: Adv
QAP − IND − CQAQORAM , A B := Pr h Game
QAP − IND − CQAQORAM , A B → i − . .3. Quantum ORAM Definition 6.28 (Quantum Access Pattern Indistinguishability Under Adap-tive Chosen Query Attack) . A QORAM construction
QORAM has compu-tationally indistinguishable quantum access patterns under adaptive chosenquery attack (or, it is QAP-IND-CQA-secure) iff for any QORAM adversary A B it holds: Adv
QAP − IND − CQAQORAM , A B ≤ negl . PathQORAM
In this section we describe the construction for a novel QAP-IND-CQA-secureQORAM scheme, which we call
PathQORAM , and which has the interestingproperty that read and write operations are inherently equivalent . The ideais to modify
PathORAM with the SKQES from Construction 6.13, but we needsome additional care for ensuring soundness. In fact, we have the followingproblem. Suppose the client issues a quantum data request for block i . Thiswill be translated to a leaf in S ’s quantum database, and the resulting treebranch | QBranch i will be sent to C . Now C knows that the data he is look-ing for is encoded in one of | QBranch i ’s nodes, but he does not know whichone. Classically, C would proceed by decrypting and inspecting every node in | QBranch i until he finds what he is looking for, then he would perform someoperation on that element, before re-encrypting it again, and then completethe re-randomization of | QBranch i before re-sending the whole branch to S .This operation might be problematic in the quantum world though: inspect-ing an unknown quantum state will destroy it with high probability. We havetherefore to find a way to signal C when he reaches the right node in the pathwithout disturbing the quantum data unit itself.The solution is to notice that, in our formalization of PathORAM, theclient stores the classical identifier i together with the data unit in the block.In the quantum version PathQORAM , this identifier is still classical, and of afixed length n tag . Once a node in | QBranch i is decrypted, it will be transformedto | i i h i | ⊗ ϕ . The first register can then be measured in the computationalbasis without being disturbed, and without disturbing the state ϕ (which isnot entangled with | i i ). So the trick for C is to find out when he is decryptingthe right element by only measuring the first n tag qubits of the decryptedblock, and then only act on the quantum data unit when the right identifieris found. Notice how other different approaches used classically to instantiate54 Chapter 6. QS3: Fully Quantum Security
PathORAM, such as identifying blocks by storing a local table with the hashvalues of the data units, might not work so smoothly when translated to thequantum world.More concretely, we give here a full description of PathQORAM (whichfrom now on we denote as
PathQORAM ) according to our new formalism. Themeaning of the parameters is as in Definition 3.63.
Construction 6.29 ( PathQORAM [GKK17, Definition 36]) . For fixed param-eters n dat , n Max ∈ N , let n tag = d log n Max e , n bkt ∈ N , n msg = n dat + n tag ,and n blk ≥ n msg . Let G be a pqPRNG outputting n tag -bit pseudorandom val-ues, and let E = ( KGen , QEnc , QDec ) be a QIND-CPA SKQES with n msg -qubitplaintexts and n blk -qubit ciphertexts. We define a QORAM construction called PathQORAM = PathQORAM E , G as follows: • QInit ( n, n db ) → ( C , S ) in the following way: C generates a secret key k ← KGen set n tree := d log n db e C initializes a lookup table (the position map) of the form((1 , r ) , . . . , ( n db , r n db )), where r i are n tree -bit values generated bytruncating the first n tag − n tree bits of G ’s output S . | QDB i is stored in a binary tree of height n tree , with root | QRoot i and leaves | QLeaf i , . . . , | QLeaf i n tree − , and such that:1. each node of the tree stores up to n bkt quantum blocks;2. every quantum block of every node is initializedto QEnc k ( | n msg ih n msg | ). • If | qdr i = ( op , i, ϕ ) , then QAccess ( C , S , | qdr i ) → ( C , S , | qcom i ) in thefollowing way: C reads r i from his position map and sends it to S S sends to C the quantum system containing the path | QBranch i from | QRoot i to | QLeaf i r i remap ( i, r i ) to ( i, r i ) in the position map of C , where r i is a freshpseudorandom n tree -bit value (generated by truncating the first n tag − n tree bits of G ’s output), obtaining C for all quantum block ψ contained in | QBranch i do C decrypts QDec k ( ψ ) → ( | j ih j | ⊗ σ ) ,where | j i ∈ H n tag , and σ ∈ D ( H n dat ) C measures the first n tag qubits of the decrypted state in thecomputational basis, obtaining j if j = i then swap σ with ϕ C re-encrypts (re-randomizing) the current quantum block,obtaining ψ .3. Quantum ORAM find in | QBranch i the common parent node | QNode i between | QLeaf i r i and | QLeaf i r j , closer to the leaf level set b swap := ‘false’ for all ρ in | QNode i do C decrypts QDec k ( ρ ) → ( | j ih j | ⊗ σ ) C re-encrypts (re-randomizing) ρ ← QEnc k ( | j ih j | ⊗ σ ) if j = 0 . . . then . ρ is empty, can be used swap ψ and ρ set b swap := ‘true’ if b swap = ‘false’ then . no empty blocks in current | QNode i if | QNode i 6 = | QRoot i then set | QNode i to be one level up in the tree go to step 12 else store the current quantum block in the | QStash i C sends back the updated tree branch, | NewQBranch i , to S update S . | QDB i with | NewQBranch i , obtaining S produce | qcom i , which contains r i , | QBranch i , | NewQBranch i Notice that the following interesting property holds: the operations of‘write’ and ‘read’ have the same effect. Namely: since qubits from the server’sdatabase cannot be copied, and cannot be removed or added (otherwise thiswould compromise indistinguishability), the action of a read or write operationis simply to swap a state in the database with a state in C ’s memory. Infact, QAccess swaps ϕ known by C with σ stored in S . Also notice how | qcom i containing | QBranch i , | NewQBranch i would imply a cloning of quantumstates. This is just a formal artifice, because in the case of QORAMs as wedefined them, | qcom i is only used in respect to a safe extractor B , whichprocesses | NewQBranch i only after C has processed | QBranch i , so informationis never copied. For the soundness of the PathQORAM construction we have leftunexplained the use of a quantum stash | QStash i . This is an area of quantummemory basically used as the classical stash of PathORAM , but every time anelement is ‘written’ in the stash, it is actually ‘swapped’ with an empty blockin the tree. The security of the construction follows from the QIND-CPAsecurity of the SKQES E , and from the security of the pqPRNG G . Theorem 6.30 ([GKK17, Theorem 34]) . Let E be a QIND-CPA SKQES,and let G be a pqPRNG. Then, PathQORAM instantiated using E and G is aQAP-IND-CQA secure QORAM.Proof. The proof follows step-by-step the proof of Theorem 3.64 with someimportant differences. First of all, D cannot store a local mirrored tree ofplaintexts of the form ( | i i h i | ⊗ σ ) because of the No-Cloning Theorem, so hecannot simulate C perfectly. But he can store a mirrored tree which contains56 Chapter 6. QS3: Fully Quantum Security only the classical identifiers i , at the right positions of every block throughoutthe execution of the protocol.At this point, D can simulate a decryption oracle for a certain block ψ ina downloaded branch by fetching the cleartext identifier i found at the corre-sponding position in the ‘mirrored’ tree, and creating a ‘simulated’ plaintextof the form ( | i i h i | ⊗ | n dat i h n dat | ), i.e., replacing the ‘real’ quantum data unit σ with a zero state. Since A never ‘sees’ a decrypted block, this substitutionis not immediately apparent to him. Moreover, whenever C would create ablock by encrypting ψ ← QEnc k ( | i i h i | ⊗ σ ), D can simulate this by doing ψ ← QEnc k ( | i i h i | ⊗ | n dat i h n dat | ). By the QIND-CPA security of E , A cannotdetect this substitution with more than negligible advantage over guessing.Therefore, D can still simulate C (with overwhelming, albeit not 100%, prob-ability) at any data request.Another issue appears during the challenge phase, as this time the conceptof non-meaningful challenge must be redefined. For the same argument asabove, from A ’s perspective it does not matter whether two data requestslead to two ‘different’ quantum data units σ , σ (the analogue of data units data , data in the classical proof) or not. Therefore, D can ignore the quantumdata units at all. Moreover, as discussed above, in PathQORAM there is nodifference between ‘read’ and ‘write’ operations. It follows, from the sameargument as in the proof of Theorem 3.64, that the two challenge quantumdata requests | qdr i , | qdr i must differ on the identifiers i , i . Then, D playsthe QIND-CPA game with challenge plaintexts ϕ a = | i a i h i a | ⊗ | n dat i h n dat | for a ∈ { , } , following the same strategy as in the classical case (by guessinga bit, injecting the challenge ciphertext, and observing A ’s output), withonly a negligible loss in the success probability because he is simulating fakeplaintexts. This concludes the proof. ibliography [Aar09] Scott Aaronson. Quantum copy-protection and quantum money.In Proceedings of the 24th Annual IEEE Conference on Compu-tational Complexity, CCC 2009, Paris, France, 15-18 July 2009 ,pages 229–242, 2009.[ABF +
16] Gorjan Alagic, Anne Broadbent, Bill Fefferman, TommasoGagliardoni, Christian Schaffner, and Michael St. Jules. Com-putational security of quantum encryption. In
InformationTheoretic Security - 9th International Conference, ICITS 2016,Tacoma, WA, USA, August 9-12, 2016, Revised Selected Papers ,pages 47–71, 2016.[AM16] Gorjan Alagic and Christian Majenz. Quantum non-malleabilityand authentication.
CoRR , abs/1610.04214, 2016.[AR16] Gorjan Alagic and Alexander Russell. Quantum-securesymmetric-key cryptography based on hidden shifts.
IACRCryptology ePrint Archive , 2016:960, 2016.[ARTL15] Tameen Albash, Troels F. Rønnow, Matthias Troyer, andDaniel A. Lidar. Reexamining classical and quantum modelsfor the D-Wave One processor.
The European Physical JournalSpecial Topics , 224(1):111–129, 2015.[AMTdW00] Andris Ambainis, Michele Mosca, Alain Tapp, and Ronaldde Wolf. Private quantum channels. In , pages 547–553, 2000.[ARU14] Andris Ambainis, Ansis Rosmanis, and Dominique Unruh.Quantum attacks on classical proof systems: The hardness of15758
Bibliography quantum rewinding. In , pages 474–483, 2014.[ATTU16] Mayuresh Vivekanand Anand, Ehsan Ebrahimi Targhi,Gelo Noel Tabia, and Dominique Unruh. Post-quantum secu-rity of the CBC, CFB, OFB, CTR, and XTS modes of opera-tion. In
Post-Quantum Cryptography - 7th International Work-shop, PQCrypto 2016, Fukuoka, Japan, February 24-26, 2016,Proceedings , pages 44–63, 2016.[AB09] Sanjeev Arora and Boaz Barak.
Computational Complexity - AModern Approach . Cambridge University Press, 2009.[BCG + , pages 449–458, 2002.[BCG + , pages 449–458, 2002.[Bel98] Mihir Bellare. Practice-oriented provable security. In Lectureson Data Security, Modern Cryptology in Theory and Practice,Summer School, Aarhus, Denmark, July 1998 , pages 1–15, 1998.[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practi-cal: A paradigm for designing efficient protocols. In
CCS ’93,Proceedings of the 1st ACM Conference on Computer and Com-munications Security, Fairfax, Virginia, USA, November 3-5,1993. , pages 62–73, 1993.[BBBV97] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, andUmesh V. Vazirani. Strengths and weaknesses of quantum com-puting.
SIAM J. Comput. , 26(5):1510–1523, 1997.[BB14] Charles H. Bennett and Gilles Brassard. Quantum cryptogra-phy: Public key distribution and coin tossing.
Theor. Comput.Sci. , 560:7–11, 2014.[BBD09] Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen.
Post-Quantum Cryptography . Springer-Verlag Berlin Heidel-berg, 2009. ibliography +
15] Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing,Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou,Michael Schneider, Peter Schwabe, and Zooko Wilcox-O’Hearn.SPHINCS: practical stateless hash-based signatures. In
Ad-vances in Cryptology - EUROCRYPT 2015 - 34th Annual In-ternational Conference on the Theory and Applications of Cryp-tographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Pro-ceedings, Part I , pages 368–397, 2015.[BV97] Ethan Bernstein and Umesh V. Vazirani. Quantum complexitytheory.
SIAM J. Comput. , 26(5):1411–1473, 1997.[Bon98] Dan Boneh. The decision Diffie-Hellman problem. In
Algorith-mic Number Theory, Third International Symposium, ANTS-III, Portland, Oregon, USA, June 21-25, 1998, Proceedings ,pages 48–63, 1998.[BDF +
11] Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann,Christian Schaffner, and Mark Zhandry. Random oracles in aquantum world. In
Advances in Cryptology - ASIACRYPT 2011- 17th International Conference on the Theory and Applicationof Cryptology and Information Security, Seoul, South Korea, De-cember 4-8, 2011. Proceedings , pages 41–69, 2011.[BZ13a] Dan Boneh and Mark Zhandry. Quantum-secure message au-thentication codes. In
Advances in Cryptology - EUROCRYPT2013, 32nd Annual International Conference on the Theory andApplications of Cryptographic Techniques, Athens, Greece, May26-30, 2013. Proceedings , pages 592–608, 2013.[BZ13b] Dan Boneh and Mark Zhandry. Secure signatures and chosenciphertext security in a quantum computing world. In
Advancesin Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Con-ference, Santa Barbara, CA, USA, August 18-22, 2013. Proceed-ings, Part II , pages 361–379, 2013.[BCD +
16] Joppe W. Bos, Craig Costello, Léo Ducas, Ilya Mironov, MichaelNaehrig, Valeria Nikolaenko, Ananth Raghunathan, and Dou-glas Stebila. Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In
Proceedings of the 2016 ACMSIGSAC Conference on Computer and Communications Secu-rity, Vienna, Austria, October 24-28, 2016 , pages 1006–1018,2016.[BR03] P. Oscar Boykin and Vwani Roychowdhury. Optimal encryptionof quantum bits.
Phys. Rev. A , 67:042317, Apr 2003.60
Bibliography [BHT98] Gilles Brassard, Peter Høyer, and Alain Tapp.
Quantum crypt-analysis of hash and claw-free functions , pages 163–169. SpringerBerlin Heidelberg, Berlin, Heidelberg, 1998.[BJ15] Anne Broadbent and Stacey Jeffery. Quantum homomorphicencryption for circuits of low T-gate complexity. In
Advances inCryptology - CRYPTO 2015 - 35th Annual Cryptology Confer-ence, Santa Barbara, CA, USA, August 16-20, 2015, Proceed-ings, Part II , pages 609–629, 2015.[BS16] Anne Broadbent and Christian Schaffner. Quantum cryptogra-phy beyond quantum key distribution.
Des. Codes Cryptography ,78(1):351–382, 2016.[BFM15] Christina Brzuska, Pooya Farshim, and Arno Mittelbach.Random-oracle uninstantiability from indistinguishability obfus-cation. In
Theory of Cryptography - 12th Theory of CryptographyConference, TCC 2015, Warsaw, Poland, March 23-25, 2015,Proceedings, Part II , pages 428–455, 2015.[CNR12] Jan Camenisch, Gregory Neven, and Markus Rückert. Fullyanonymous attribute tokens from lattices. In
Security andCryptography for Networks - 8th International Conference, SCN2012, Amalfi, Italy, September 5-7, 2012. Proceedings , pages 57–75, 2012.[CGH98] Ran Canetti, Oded Goldreich, and Shai Halevi. The randomoracle methodology, revisited (preliminary version). In
Proceed-ings of the Thirtieth Annual ACM Symposium on the Theory ofComputing, Dallas, Texas, USA, May 23-26, 1998 , pages 209–218, 1998.[CEJvO02] Stanley Chow, Philip A. Eisen, Harold Johnson, and Paul C.van Oorschot. White-box cryptography and an AES implemen-tation. In
Selected Areas in Cryptography, 9th Annual Interna-tional Workshop, SAC 2002, St. John’s, Newfoundland, Canada,August 15-16, 2002. Revised Papers , pages 250–270, 2002.[DFG13] Özgür Dagdelen, Marc Fischlin, and Tommaso Gagliardoni. TheFiat-Shamir transformation in a quantum world. In
Advances inCryptology - ASIACRYPT 2013 - 19th International Conferenceon the Theory and Application of Cryptology and InformationSecurity, Bengaluru, India, December 1-5, 2013, Proceedings,Part II , pages 62–81, 2013. ibliography
In-formation Theoretic Security - 7th International Conference, IC-ITS 2013, Singapore, November 28-30, 2013, Proceedings , pages142–161, 2013.[DH76] Whitfield Diffie and Martin E. Hellman. New directions incryptography.
IEEE Trans. Information Theory , 22(6):644–654,1976.[DFPR14] Vedran Dunjko, Joseph Fitzsimons, Christopher Portmann, andRenato Renner. Composable security of delegated quantum com-putation. In
Advances in Cryptology - ASIACRYPT 2014 -20th International Conference on the Theory and Applicationof Cryptology and Information Security, Kaoshiung, Taiwan,R.O.C., December 7-11, 2014, Proceedings, Part II , pages 406–425, 2014.[ES15] Edward Eaton and Fang Song. Making existential-unforgeablesignatures strongly unforgeable in the quantum random-oraclemodel. In , pages 147–162, 2015.[FJP14] Luca De Feo, David Jao, and Jérôme Plût. Towards quantum-resistant cryptosystems from supersingular elliptic curve isoge-nies.
J. Mathematical Cryptology , 8(3):209–247, 2014.[Fey82] Richard P. Feynman. Simulating physics with computers.
In-ternational Journal of Theoretical Physics , 21(6):467–488, 1982.[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practicalsolutions to identification and signature problems. In
Advancesin Cryptology - CRYPTO ’86, Santa Barbara, California, USA,1986, Proceedings , pages 186–194, 1986.[GHS16] Tommaso Gagliardoni, Andreas Hülsing, and ChristianSchaffner. Semantic security and indistinguishability in thequantum world. In
Advances in Cryptology - CRYPTO 2016- 36th Annual International Cryptology Conference, Santa Bar-bara, CA, USA, August 14-18, 2016, Proceedings, Part III , pages60–89, 2016.[GKK17] Tommaso Gagliardoni, Nikolaos P. Karvelas, and Stefan Katzen-beisser. ORAMs in a quantum world.
IACR Cryptology ePrintArchive , 2017.62
Bibliography [Gam84] Taher El Gamal. A public key cryptosystem and a signaturescheme based on discrete logarithms. In
Advances in Cryptology,Proceedings of CRYPTO ’84, Santa Barbara, California, USA,August 19-22, 1984, Proceedings , pages 10–18, 1984.[GMP16] Sanjam Garg, Payman Mohassel, and Charalampos Papaman-thou. TWORAM: efficient oblivious RAM in two rounds withapplications to searchable encryption. In
Advances in Cryp-tology - CRYPTO 2016 - 36th Annual International CryptologyConference, Santa Barbara, CA, USA, August 14-18, 2016, Pro-ceedings, Part III , pages 563–592, 2016.[GYZ16] Sumegha Garg, Henry Yuen, and Mark Zhandry. New secu-rity notions and feasibility results for authentication of quantumdata.
CoRR , abs/1607.07759, 2016.[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trap-doors for hard lattices and new cryptographic constructions. In
Proceedings of the 40th Annual ACM Symposium on Theory ofComputing, Victoria, British Columbia, Canada, May 17-20,2008 , pages 197–206, 2008.[Gol01] Oded Goldreich.
The Foundations of Cryptography - Volume 1,Basic Techniques . Cambridge University Press, 2001.[Gol04] Oded Goldreich.
The Foundations of Cryptography - Volume 2,Basic Applications . Cambridge University Press, 2004.[Gol11] Oded Goldreich. In a world of P=BPP. In
Studies in Com-plexity and Cryptography. Miscellanea on the Interplay betweenRandomness and Computation - In Collaboration with LidorAvigad, Mihir Bellare, Zvika Brakerski, Shafi Goldwasser, ShaiHalevi, Tali Kaufman, Leonid Levin, Noam Nisan, Dana Ron,Madhu Sudan, Luca Trevisan, Salil Vadhan, Avi Wigderson,David Zuckerman , pages 191–232. 2011.[GGH97] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-keycryptosystems from lattice reduction problems. In
Advances inCryptology - CRYPTO ’97, 17th Annual International Cryptol-ogy Conference, Santa Barbara, California, USA, August 17-21,1997, Proceedings , pages 112–131, 1997.[GGM84] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How toconstruct random functions (extended abstract). In , pages 464–479, 1984. ibliography
Proceedings of the 21st Annual ACMSymposium on Theory of Computing, May 14-17, 1989, Seattle,Washigton, USA , pages 25–32, 1989.[GMW86] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to proveall np-statements in zero-knowledge, and a methodology of cryp-tographic protocol design. In
Advances in Cryptology - CRYPTO’86, Santa Barbara, California, USA, 1986, Proceedings , pages171–185, 1986.[GO96] Oded Goldreich and Rafail Ostrovsky. Software protection andsimulation on oblivious RAMs.
J. ACM , 43(3):431–473, 1996.[Gro96] Lov K. Grover. A fast quantum mechanical algorithm fordatabase search. In
Proceedings of the Twenty-Eighth AnnualACM Symposium on the Theory of Computing, Philadelphia,Pennsylvania, USA, May 22-24, 1996 , pages 212–219, 1996.[GdAJ13] Elloá B. Guedes, Francisco Marcos de Assis, and Bernardo LulaJr. Quantum attacks on pseudorandom generators.
Mathemati-cal Structures in Computer Science , 23(3):608–634, 2013.[GQ88] Louis C. Guillou and Jean-Jacques Quisquater. A "paradoxical"indentity-based signature scheme resulting from zero-knowledge.In
Advances in Cryptology - CRYPTO ’88, 8th Annual Interna-tional Cryptology Conference, Santa Barbara, California, USA,August 21-25, 1988, Proceedings , pages 216–231, 1988.[HILL99] Johan Haastad, Russell Impagliazzo, Leonid A. Levin, andMichael Luby. A pseudorandom generator from any one-wayfunction.
SIAM J. Comput. , 28(4):1364–1396, 1999.[HSS11] Sean Hallgren, Adam D. Smith, and Fang Song. Classical crypto-graphic protocols in a quantum world. In
Advances in Cryptology- CRYPTO 2011 - 31st Annual Cryptology Conference, SantaBarbara, CA, USA, August 14-18, 2011. Proceedings , pages 411–428, 2011.[IR88] Russell Impagliazzo and Steven Rudich. Limits on the provableconsequences of one-way permutations. In
Advances in Cryptol-ogy - CRYPTO ’88, 8th Annual International Cryptology Con-ference, Santa Barbara, California, USA, August 21-25, 1988,Proceedings , pages 8–26, 1988.[JMV01] Don Johnson, Alfred Menezes, and Scott A. Vanstone. Theelliptic curve digital signature algorithm (ECDSA).
Int. J. Inf.Sec. , 1(1):36–63, 2001.64
Bibliography [KLLN16] Marc Kaplan, Gaëtan Leurent, Anthony Leverrier, and MaríaNaya-Plasencia. Breaking symmetric cryptosystems using quan-tum period finding. In
Advances in Cryptology - CRYPTO 2016- 36th Annual International Cryptology Conference, Santa Bar-bara, CA, USA, August 14-18, 2016, Proceedings, Part II , pages207–237, 2016.[KKVB02] Elham Kashefi, Adrian Kent, Vlatko Vedral, and Konrad Ba-naszek. Comparison of quantum oracles.
Phys. Rev. A ,65:050304, May 2002.[KL07] Jonathan Katz and Yehuda Lindell.
Introduction to ModernCryptography . Chapman and Hall/CRC Press, 2007.[KPG99] Aviad Kipnis, Jacques Patarin, and Louis Goubin. Unbalancedoil and vinegar signature schemes. In
Advances in Cryptology -EUROCRYPT ’99, International Conference on the Theory andApplication of Cryptographic Techniques, Prague, Czech Repub-lic, May 2-6, 1999, Proceeding , pages 206–222, 1999.[KM10] Hidenori Kuwakado and Masakatu Morii. Quantum distin-guisher between the 3-round Feistel cipher and the random per-mutation. In
IEEE International Symposium on InformationTheory, ISIT 2010, June 13-18, 2010, Austin, Texas, USA, Pro-ceedings , pages 2682–2685, 2010.[KM12] Hidenori Kuwakado and Masakatu Morii. Security on thequantum-type Even-Mansour cipher. In
Proceedings of the In-ternational Symposium on Information Theory and its Applica-tions, ISITA 2012, Honolulu, HI, USA, October 28-31, 2012 ,pages 312–316, 2012.[Lyu12] Vadim Lyubashevsky. Lattice signatures without trapdoors. In
Advances in Cryptology - EUROCRYPT 2012 - 31st Annual In-ternational Conference on the Theory and Applications of Cryp-tographic Techniques, Cambridge, UK, April 15-19, 2012. Pro-ceedings , pages 738–755, 2012.[LPR13] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideallattices and learning with errors over rings.
J. ACM , 60(6):43:1–43:35, 2013.[McE78] Robert J. McEliece. A public-key cryptosystem based on al-gebraic coding theory.
Deep Space Network Progress Report ,44:114–116, January 1978. ibliography
Encyclope-dia of Cryptography and Security, 2nd Ed. , pages 713–715. 2011.[NC00] Michael A. Nielsen and Isaac L. Chuang.
Quantum Computa-tion and Quantum Information . Cambridge University Press,Cambridge, New York, 2000.[OBK +
16] P. J. J. O’Malley, R. Babbush, I. D. Kivlichan, J. Romero, J. R.McClean, R. Barends, J. Kelly, P. Roushan, A. Tranter, N. Ding,B. Campbell, Y. Chen, Z. Chen, B. Chiaro, A. Dunsworth, A. G.Fowler, E. Jeffrey, E. Lucero, A. Megrant, J. Y. Mutus, M. Nee-ley, C. Neill, C. Quintana, D. Sank, A. Vainsencher, J. Wenner,T. C. White, P. V. Coveney, P. J. Love, H. Neven, A. Aspuru-Guzik, and J. M. Martinis. Scalable quantum simulation ofmolecular energies.
Phys. Rev. X , 6:031007, Jul 2016.[PS00] David Pointcheval and Jacques Stern. Security arguments fordigital signatures and blind signatures.
J. Cryptology , 13(3):361–396, 2000.[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. Amethod for obtaining digital signatures and public-key cryp-tosystems.
Commun. ACM , 21(2):120–126, 1978.[SP92] Alfredo De Santis and Giuseppe Persiano. Zero-knowledgeproofs of knowledge without interaction (extended abstract). In , pages 427–436, 1992.[SS17] Thomas Santoli and Christian Schaffner. Using Simon’s algo-rithm to attack symmetric-key cryptographic primitives.
Quan-tum Information & Computation , 17(1&2):65–78, 2017.[Sch91] Claus-Peter Schnorr. Efficient signature generation by smartcards.
J. Cryptology , 4(3):161–174, 1991.[Sha01] Claude E. Shannon. A mathematical theory of communica-tion.
Mobile Computing and Communications Review , 5(1):3–55,2001.[Sho94] Peter W. Shor. Algorithms for quantum computation: Discretelogarithms and factoring. In , pages 124–134, 1994.[Sim97] Daniel R. Simon. On the power of quantum computation.
SIAMJ. Comput. , 26(5):1474–1483, 1997.66
Bibliography [Son14] Fang Song. A note on quantum security for post-quantum cryp-tography. In
Post-Quantum Cryptography - 6th InternationalWorkshop, PQCrypto 2014, Waterloo, ON, Canada, October 1-3, 2014. Proceedings , pages 246–265, 2014.[SSS12] Emil Stefanov, Elaine Shi, and Dawn Xiaodong Song. Towardspractical oblivious RAM. In , 2012.[SvDS +
13] Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher W.Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. PathORAM: an extremely simple oblivious RAM protocol. In , pages299–310, 2013.[SLB +
11] D. Stucki, M. Legré, F. Buntschu, B. Clausen, N. Felber,N. Gisin, L. Henzen, P. Junod, G. Litzistorf, P. Monbaron,L. Monat, J.-B. Page, D. Perroud, G. Ribordy, A. Rochas,S. Robyr, J. Tavares, R. Thew, P. Trinkler, S. Ventura, R. Voirol,N. Walenta, and H. Zbinden. Long-term performance of theSwissQuantum quantum key distribution network in a field en-vironment.
New Journal of Physics , 13(12):123001, December2011.[TCM +
16] Maika Takita, Antonio D. Córcoles, Easwar Magesan, BaleeghAbdo, Markus Brink, Andrew Cross, Jerry M. Chow, and Jay M.Gambetta. Demonstration of weight-four parity measurementsin the surface code architecture.
Phys. Rev. Lett. , 117:210505,Nov 2016.[Unr12] Dominique Unruh. Quantum proofs of knowledge. In
Advancesin Cryptology - EUROCRYPT 2012 - 31st Annual InternationalConference on the Theory and Applications of CryptographicTechniques, Cambridge, UK, April 15-19, 2012. Proceedings ,pages 135–152, 2012.[Unr13] Dominique Unruh. Everlasting multi-party computation. In
Ad-vances in Cryptology - CRYPTO 2013 - 33rd Annual CryptologyConference, Santa Barbara, CA, USA, August 18-22, 2013. Pro-ceedings, Part II , pages 380–397, 2013.[Unr15] Dominique Unruh. Non-interactive zero-knowledge proofs in thequantum random oracle model. In
Advances in Cryptology -EUROCRYPT 2015 - 34th Annual International Conference on ibliography the Theory and Applications of Cryptographic Techniques, Sofia,Bulgaria, April 26-30, 2015, Proceedings, Part II , pages 755–784, 2015.[VW16] Thomas Vidick and John Watrous. Quantum proofs.
Founda-tions and Trends in Theoretical Computer Science , 11(1-2):1–215, 2016.[Wat01] John Watrous. Quantum algorithms for solvable groups. In
Pro-ceedings on 33rd Annual ACM Symposium on Theory of Com-puting, July 6-8, 2001, Heraklion, Crete, Greece , pages 60–67,2001.[Wat06] John Watrous. Zero-knowledge against quantum attacks. In
Proceedings of the 38th Annual ACM Symposium on Theory ofComputing, Seattle, WA, USA, May 21-23, 2006 , pages 296–305,2006.[Wie83] Stephen Wiesner. Conjugate coding.
SIGACT News , 15(1):78–88, January 1983.[Yao82] Andrew Chi-Chih Yao. Theory and applications of trapdoorfunctions (extended abstract). In , pages 80–91, 1982.[Zha12a] Mark Zhandry. How to construct quantum random functions.In , pages 679–687, 2012.[Zha12b] Mark Zhandry. Secure identity-based encryption in the quantumrandom oracle model. In
Advances in Cryptology - CRYPTO2012 - 32nd Annual Cryptology Conference, Santa Barbara, CA,USA, August 19-23, 2012. Proceedings , pages 758–775, 2012.[Zha16] Mark Zhandry. A note on quantum-secure PRPs.