on security notions for encryption in a quantum world
TRANSCRIPT
1/10
On Security Notions for Encryptionin a Quantum World
Celine Chevalier 1 Ehsan Ebrahimi 2 Quoc-Huy Vu 1
1Universite Pantheon-Assas Paris II 2University of Luxembourg
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
2/10
Motivations
This paper: fully-quantum security for classical encryption.
Classical Security
Classical adversaries, classical communication
Post-quantum Security
Quantum adversaries, classical communication
Fully-Quantum Security [BZ’13, DFNS’14, GHS’16]
Quantum adversaries, quantum communication.
I Running classically obfuscated programs in quantum computers
I Exotic quantum attacks: frozen smart-card attack
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
3/10
Prior Results
1 Superposition access to encryption oracle∑x
αx |x, y〉 7→∑x
αx |x, y ⊕ Enc(x)〉
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
3/10
Prior Results
1 Superposition access to encryption oracle
2 Superposition access to decryption oracle in chosen-ciphertext security.
BZ’13 Superposition access to encryption and decryption oracles, but challengesare classical, for both PKE and SKE.
GHS’16 Quantum challenges, but restricted to a special minimal oracle, limited toonly SKE and CPA security.
Open Quantum challenges, in the standard oracle model, for both PKE and SKEwith CCA security.I No-cloning TheoremI Measurement destructivenessI Impossibility for any Left-or-Right indistinguishability notion [BZ’13]
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
4/10
Our Work
Main Results
An achievable, meaningful quantum notion of chosen-ciphertext security for bothsecret- and public-key encryption.
Our Techniques
I Switching from a Left-or-Right indistinguishability notion to a Real-or-Randomindistinguishability notion.
I Adapting Zhandry’s compressed oracle technique to randomized functions.[Zhandry’19]
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
Measuring∑
h |h〉 = h$← U
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
|x, y〉A |h〉O 7→ |x, y ⊕ h(x)〉A |h〉OFourier
=====⇒Transform
|x, y〉A |h〉O 7→ |x, y〉A |h⊕ Px,y〉O
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
Initial Oracle State D = {}. Query(x, y,D):
1 If @(x, y′) ∈ D, D = D ∪ {(x, 0)}2 D = D \ {(x, y′)} ∪ {(x, y ⊕ y′)}3 D = D \ {(x, 0)} if ∃(x, 0) ∈ D
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
The oracle now has information about the adversary’s queries.
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
5/10
Zhandry’s Recording Technique [Zhandry’19]1
I Goal: on-the-fly simulation of random oracles in the quantum setting.
Four steps
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Perfect Simulability
This is a perfect simulation for quantum random oracles.
1© Zhandry, CRYPTO’19
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
Measuring∑
r |r〉 = r$← U
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
|x, y〉A |r, fr〉O 7→ |x, y ⊕ f(x; r)〉A |r, fr〉OQFT===⇒ |x, y〉A |r, fr〉O 7→ |x, y〉A |r, fr ⊕ Px,y〉O
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
Initial Oracle State D = {}. Query(x, y,D):
1 If @(r, x, y′) ∈ D, D = D ∪ {(r, x, f(x; r))}2 D = D \ {(r, x, y′)} ∪ {(r, x, f(x; r)⊕ y′)}3 D = D \ {(r, x, 0)} if ∃(r, x, 0) ∈ D
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
6/10
Recording Technique for Randomized Functions
Consider a randomized function f(x; r)
1 Quantum-ify
2 Look at Fourier Domain
3 Compress
4 Revert back to Primal Domain
Caveat!
The above simulation needs 3 applications of Uf . Thus it is not useful for:
I Proving one-time security
I Security reductions (Encrypt-then-Mac)
Simulation with 1 call to Uf
In the randomized setting, the database is always initialized to “zero”, thus we cansimulate with only one call to Uf .
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{⊥ if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{⊥ if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{x if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 x0 ← x, x1$← X
4 y? ← Enck(xb)
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{x if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
7/10
IND-CCA (Real-or-Random)2
ExptbSE(λ,A):
1 k$← K()
2 (x, state)← AEnck,Deck1 (λ)
3 π$← Π
4 y? ← Enck(πb(x))
5 b′ ← AEnck,Dec?k2 (y?, state)
6 return b′
I Dec?k(y) =
{x if y = y?
Deck(y)
I πb =
{π if b = 1
1 if b = 0
∣∣Pr[Expt1SE(λ,A) = 1
]− Pr
[Expt0SE(λ,A) = 1
]∣∣ ≤ ε2Single-Challenge
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
Use compressed oracle here
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
8/10
qIND-qCCA (Real-or-Random)
ExptbSE(λ,A):
1 k$← K()
2∑
x,yαx,y |x, y, φx,y〉︸ ︷︷ ︸|Φ〉
← A|Enck〉,|Deck〉1 (λ)
3 π$← Π
4∑
x,y αx,y |x, y ⊕ Enck(πb(x)), φx,y〉︸ ︷︷ ︸
|Ψ〉
⊗Dx,y ← Enck◦πb |Φ〉
5 b′ ← A|Enck〉,|Dec?k 〉2 (|Ψ〉)
6 return b′
Dec?k |y, z〉 ⊗D =
{|y, z ⊕ Deck(y)〉 if @(w, y) ∈ D|y, z ⊕ w〉 if ∃(w, y) ∈ D
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
9/10
Properties & Achievability
Properties
I qIND security ⇒ IND security
I ComposabilityI IND-qCCA < qIND-qCPA
I One-time pad encryption style (stream cipher, GCM, CFB, OFB, CTR ...) isinsecure.
Achievability
I Encrypt-then-MAC is qIND-qCCA
I IND-qCCA PKE + OWF ⇒ qIND-qCCA PKE
10/10
Thank you!