Unforgeable Quantum Encryption

Alagic, Gorjan; Gagliardoni, Tommaso; Majenz, Christian

doi:10.1007/978-3-319-78372-7_16

Gorjan Alagic^15,16,
Tommaso Gagliardoni¹⁷ &
Christian Majenz^18,19

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10822))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

3631 Accesses
15 Citations

Abstract

We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to detect cheating, and rely on recent results for characterizing quantum encryption schemes. We give definitions for (i) ciphertext unforgeability, (ii) indistinguishability under adaptive chosen-ciphertext attack, and (iii) authenticated encryption. The restriction of each definition to the classical setting is at least as strong as the corresponding classical notion: (i) implies $\mathsf {INT\text {-}CTXT}$, (ii) implies $\mathsf {IND\text {-}CCA2}$, and (iii) implies $\mathsf {AE}$. All of our new notions also imply $\mathsf {QIND\text {-}CPA}$ privacy. Combining one-time authentication and classical pseudorandomness, we construct symmetric-key quantum encryption schemes for each of these new security notions, and provide several separation examples. Along the way, we also give a new definition of one-time quantum authentication which, unlike all previous approaches, authenticates ciphertexts rather than plaintexts.

You have full access to this open access chapter, Download conference paper PDF

On Quantum Ciphertext Indistinguishability, Recoverability, and OAEP

Composable and Finite Computational Security of Quantum Message Transmission

On Security Notions for Encryption in a Quantum World

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Given the rapid development of quantum information processing, it is reasonable to conjecture that future communication networks will include at least some large-scale quantum computers and high-capacity quantum channels. What will secure communication look like on the resulting “quantum Internet”? For instance, how will we transmit quantum messages securely over a completely insecure channel? One approach is via interactive and information-theoretically secure methods, e.g., combining entanglement distillation with teleportation. In this work, we will instead consider the non-interactive, highly efficient approach which dominates the current classical Internet. A natural goal here is to achieve, in the quantum setting, all the basic features that are enjoyed by classical encryption: (i) a single small key suffices for transmitting an essentially unlimited amount of data, (ii) these keys can be exchanged over public channels, and (iii) the security guarantees are as strong as possible. Previous work has shown how to achieve both (i) and (ii), but only for secrecy against chosen-plaintext and non-adaptive chosen-ciphertext attacks [3, 14]. Authentication or adaptive chosen-ciphertext security for such schemes has, as yet, not been considered. In fact, at the time of writing, there is not even a definition for two-time quantum authentication, much less for quantum analogues of $\mathsf {EUF\text {-}CMA}$ or $\mathsf {IND\text {-}CCA2}$. The aim of this work is to address this problem.

The security definitions we seek do not yet exist due to a number of technical obstacles, all of which can be traced to quantum no-cloning and the destructiveness of quantum measurements. These obstacles make it difficult even just to formulate the basic security notion, much less to prove reductions or to construct secure schemes. In unforgeability, for example, no-cloning makes it impossible to record the adversary’s queries and check whether the final output is a fresh forgery. In adaptive chosen-ciphertext security, no-cloning makes it impossible to record the challenge ciphertext and ensure that the adversary doesn’t “cheat” by simply decrypting it (and thus win against any scheme). Moreover, due to the destructiveness of quantum measurement, it is unclear if one can both perform cheat-detection and answer non-cheating queries correctly.

In this work, we overcome these obstacles, and present the first definitions of multiple-query unforgeability and adaptive chosen-ciphertext indistinguishability for quantum encryption schemes, thereby solving a longstanding open problem [3, 12, 20]. While our definitions are inherently quantum in nature, we are able to show that they are in fact natural analogues of well-known classical security definitions, such as $\mathsf {INT\text {-}CTXT}$ and $\mathsf {IND\text {-}CCA2}$. The strongest security notion we define is called quantum authenticated encryption (or $\mathsf {QAE}$) and corresponds to the strongest form of security normally studied in the classical setting. A secret-key scheme satisfying $\mathsf {QAE}$ is unforgeable and indistinguishable even against adversaries that can make adaptive encryption and decryption queries.

In an effort to explore this new landscape, we prove several theorems which relate our new notions to each other and to established quantum and classical security definitions. We also show how to satisfy each of our new security notions with explicit, efficient constructions. In particular, we show that combining a post-quantum secure pseudorandom function with a unitary 2-design yields the strongest form of secret-key quantum encryption defined thus far, i.e., $\mathsf {QAE}$.

Related Work. Computationally-secure quantum encryption has garnered significant interest in the past few years, beginning with basic security notions like $\mathsf {QIND\text {-}CPA}$ and $\mathsf {QIND\text {-}CCA1}$ [3, 14], and then with more advanced concepts such as quantum fully-homomorphic encryption (QFHE) [14, 17]. For authentication, uncloneability, and non-malleability, the one-time setting has received considerable attention (see, e.g., [5, 6, 15, 19, 21, 23, 24, 27].) We will make use of the authentication definition of [19], a characterization lemma of [5], and a simulation adversary of [15]. For classical notions of unforgeability and chosen-ciphertext security, see e.g. [25].

1.1 Our Approach

The Problem. We begin by outlining the technical difficulties in some further detail. Let us consider many-time authentication for symmetric-key encryption schemes first. In the classical setting, secure many-time authentication is defined in terms of unforgeability. A scheme is unforgeable if no adversary, even if granted the black-box power to authenticate with our secret key, can generate a fresh and properly authenticated message (i.e., a forgery). Translating this idea to the quantum setting presents immediate technical difficulties. First, no-cloning prevents us from recording the adversary’s previous queries. Second, even if the first problem is surmounted, the nature of measurement might make it difficult to reliably identify whether the adversary’s output is indeed fresh. For example, we might need many copies of the adversary’s query, as well as many copies of their final output.

A similar problem occurs for secrecy. The current state-of-the-art is the so-called $\mathsf {QIND\text {-}CCA1}$ model. In this model, the transmitted state (the “challenge”) remains secret even to adversaries with the black-box power to both encrypt and non-adaptively decrypt with our secret key. Our experience in the classical world tells us that this model is too weak, because real-world adversaries can sometimes gain adaptive access to decryption (e.g., in WEP and early versions of SSL [8]). Classically, this is addressed using the so-called $\mathsf {IND\text {-}CCA2}$ model, where the adversary is allowed adaptive decryption queries but cannot use them on the challenge (without this caveat, security becomes impossible). Here again, the quantum setting presents numerous technical difficulties: no-cloning prevents us from recording the challenge, and the nature of measurement makes it difficult to tell if the adversary is attempting to decrypt the challenge.

Recall that the strongest form of classical security, so-called “authenticated encryption” (or $\mathsf {AE}$) is defined to be $\mathsf {IND\text {-}CCA2}$ together with unforgeability of ciphertexts [25]. Achieving a comparable quantum notion thus seems to require solving all of the above problems.

Using classical intuition, one might attempt a solution as follows: consider only pure-state plaintexts, and demand that the final forgery is orthogonal to the previous queries (or, in $\textsf {CCA2}$, that decryption queries are orthogonal to the challenge). This may seem promising at first, but a closer look reveals numerous issues; for example: (i) quantum states are in general not pure, and may include side registers kept by the adversary, (ii) this idea charges the adversary with adhering to very strict demands, contrary to good theory practice, (iii) checking whether a particular adversary satisfies the demands cannot be done efficiently.

A Promising Approach. We now describe a more promising solution, beginning with unforgeability. We will express security in terms of the performance of adversaries $\mathcal A$ in two games: (1) F-Real, where $\mathcal A$ gets oracle access to $\mathsf {Enc} _k$ and wins if he outputs any valid ciphertext, and (2) F-Cheat, where we attempt to ascertain if $\mathcal A$ is cheating by feeding us an output of the oracle. How do we detect this kind of cheating? Recall that, even in the one-time setting, quantum authentication implies indistinguishability of ciphertexts. A consequence of this is that, whenever $\mathcal A$ performs an encryption query on a certain plaintext state, we are free to respond with an encryption of a different state – for example, half of a maximally-entangled state. This will be our approach: we prepare an entangled pair $| \phi ^+ \rangle _{MM'}$, apply $\mathsf {Enc} _k$ to register M, give the resulting ciphertext register to $\mathcal A$, and keep $M'$. When the game ends, we decrypt the output of $\mathcal A$ into a register O, and then perform the measurement $\{\varPi _{\phi ^+}, \mathbbm {1}- \varPi _{\phi ^+}\}$ on $OM'$. We then declare that $\mathcal A$ is cheating if and only if the first outcome is recorded.

This idea can also be applied to the multiple-query setting. There, we respond to the jth query with an encryption of register M of $| \phi ^+ \rangle _{MM_j}$, and save $M_j$; at the end of the game, we perform the aforementioned measurement on $OM_j$ for all j and declare that $\mathcal A$ cheated if any of them return the first outcome.

To define a quantum analogue of $\mathsf {IND\text {-}CCA2}$, we can try a similar strategy. We again compare the performance of $\mathcal A$ in two games: (1) C-Real, which is just like the classical $\mathsf {IND\text {-}CCA2}$ game, except with no restrictions on $\mathcal A$’s use of the $\mathsf {Dec} _k$ oracle, and (2) C-Cheat, where we again attempt to detect cheating. In C-Cheat, when the adversary sends us the challenge plaintext, we discard it and respond with the ciphertext register of $(\mathsf {Enc} _k \otimes \mathbbm {1}_{M'})| \phi ^+ \rangle _{MM'}$ instead, while keeping $M'$ to ourselves. Whenever $\mathcal A$ queries the decryption oracle, we first apply $\mathsf {Dec} _k$ and place the resulting plaintext in a register O. Then we apply the measurement $\{\varPi _{\phi ^+}, \mathbbm {1}- \varPi _{\phi ^+}\}$ to $OM'$ to see if the adversary is cheating. If we get the first outcome, we declare that $\mathcal A$ cheated.

The above ideas do lead to reasonable security definitions, which (at least partly) fulfill our original goals. However, they suffer from a number of drawbacks. First, repeated measurement of the plaintext requires the use of a so-called “gentle measurement lemma” [29], and thus can only apply to large plaintext spaces (e.g., $n^c$ qubits for $c > 0$). Second, they only offer plaintext authentication and a kind-of plaintext CCA security; modification of ciphertexts (that does not also modify the underlying plaintext) cannot be detected. Our classical experience tells us that this is insufficient, and that we should demand impossibility of any ciphertext manipulation whatsoever. Addressing these problems is where many of our new technical contributions (in addition to the above ideas) are needed. While our actual approach will be different, and more sophisticated techniques are required, we will still follow the spirit of the idea outlined above.

1.2 Summary of Results

Recall that, in the setting of quantum data, copying is impossible and authentication implies encryption [9]. In particular, there is no direct quantum analogue of a MAC. As a result, the central objects of study in our work will be symmetric-key quantum encryption schemes, or $\textsf {SKQES}$ for short, but our results on quantum CCA2 security carry over to the public-key setting as well.

Quantum Ciphertext Authentication. All previous definitions of authentication for quantum data allow manipulation of the ciphertext (see Sect. 2), thus only authenticating the plaintext state. In our first main contribution, we solve this problem, laying the necessary groundwork for our remaining results.

We give a new definition: information-theoretic quantum one-time ciphertext authentication ($\mathsf {QCA}$), inspired by ideas of [5, 15].
We prove that $\mathsf {QCA}$ is a strengthening of “$\mathsf {DNS}$”-authentication [19].

Theorem 1

(informal). If a $\textsf {SKQES}$ authenticates ciphertexts ($\mathsf {QCA}$), then it also authenticates plaintexts ($\mathsf {DNS}$); in particular, it satisfies secrecy ($\mathsf {QIND}$).

We define computational-security (one-time) analogues: $\mathsf {cQCA}$ and $\mathsf {cDNS}$.

Quantum Unforgeability. In this setting, the adversary is granted access to an encryption oracle, and must generate a valid “fresh” ciphertext.

We give a new definition: quantum unforgeability ($\mathsf {QUF}$), combining ideas of Sect. 1.1 and [5]. We also define a bounded-query analogue (t-$\mathsf {QUF}$).
We show that $\mathsf {UF}$, the classical analogue of $\mathsf {QUF}$, is remarkably strong.

Theorem 2

(informal). For classical schemes, $\mathsf {UF} \iff \mathsf {AE} $.

Quantum Chosen-Ciphertext Security. We address the longstanding problem of defining quantum security under adaptive chosen-ciphertext attack [3, 12, 20]; the state of the art was previously the non-adaptive $\mathsf {QIND\text {-}CCA1}$ [3].

We give a new definition: quantum indistinguishability under adaptive chosen-ciphertext attack

($\mathsf {QIND\text {-}CCA2}$), using all of the aforementioned ideas.
We relate $\mathsf {QIND\text {-}CCA2}$ to existing security notions.

Theorem 3

(informal).

1.
For quantum schemes, $\mathsf {QIND\text {-}CCA2}\implies \mathsf {QIND\text {-}CCA1}$.
2.
The classical analogue of $\mathsf {QIND\text {-}CCA2}$ is equivalent to classical $\mathsf {IND\text {-}CCA2}$.

Quantum Authenticated Encryption. In our main contribution, we define a natural quantum analogue of the classical concept of authenticated encryption ($\mathsf {AE}$). All previous quantum security notions lacked both unforgeability and adaptive chosen-ciphertext security.

We give a new definition: quantum authenticated encryption ($\mathsf {QAE}$), combining the ideas of Sect. 1.1, the notion of $\mathsf {QCA}$, and a real/ideal approach [28].
We give evidence that $\mathsf {QAE}$ is indeed the correct quantum analogue of $\mathsf {AE}$.

Theorem 4

(informal).

1.
Unforgeability and secure authentication: $\mathsf {QAE} \implies \mathsf {QUF} \wedge \mathsf {cQCA} $.
2.
Chosen-ciphertext security: $\mathsf {QAE} \implies \mathsf {QIND\text {-}CCA2}$.
3.
The classical analogue of $\mathsf {QAE}$ is equivalent to classical $\mathsf {AE}$.

The new notions and connections we develop are summarized in Fig. 1.

Constructions and Separations. Our new constructions combine a $\textsf {SKQES}$ $\varPi $ with a classical keyed function family f to build a new $\textsf {SKQES}$ $\varPi ^f$, as follows. In $\varPi ^f$, key generation outputs a key for f; to encrypt a state $\varrho $, we generate a random r and output $(r, \mathsf {Enc} ^\varPi _{f_k(r)}(\varrho ))$. For example, if $\varPi $ is the quantum one-time pad and f is a $\mathsf {pqPRF}$ (i.e., a post-quantum-secure pseudo-random function), then $\varPi ^f$ is the $\mathsf {IND\text {-}CCA1}$-secure scheme from [3]. We will also need the standard one-time authentication scheme $\mathsf {2desTag} $, defined by $\mathsf {Enc} _k: \varrho \mapsto C_k (\varrho \otimes \left| 0^n\right\rangle \left\langle 0^n\right| ) C_k^\dagger $ where C is an (exact or approximate) unitary two-design.

Theorem 5

(informal). Let $\varPi $ be a $\mathsf {2desTag} $ scheme, let f be a $\mathsf {pqPRF}$, and let g be a t-wise independent classical function family. Then

1.
$\varPi $ is one-time ciphertext authenticating ($\mathsf {QCA}$).
2.
$\varPi ^g$ is t-time quantum unforgeable (t-$\mathsf {QUF}$).
3.
$\varPi ^f$ satisfies quantum authenticated encryption ($\mathsf {QAE}$); in particular, it is quantum unforgeable ($\mathsf {QUF}$) and chosen-ciphertext secure ($\mathsf {QIND\text {-}CCA2}$).

Theorem 6

(informal).

1.
There exists an $\textsf {SKQES}$ which is $\mathsf {QIND\text {-}CCA1}$ but not $\mathsf {QIND\text {-}CCA2}$.
2.
There exists an $\textsf {SKQES}$ which is $\mathsf {QIND\text {-}CCA2}$ but not $\mathsf {QAE}$.

Our Choice of Primitives. The reader may wonder why our constructions do not need “quantum-oracle-secure” primitives (e.g., $\mathsf {QPRF} $s for unforgeability and 2t-wise independence for t-time security, as in the quantum-secure classical setting of [11]). In our work, the classical portion of the ciphertext is generated by honest parties during encryption, and measured during decryption. As a result, oracle access to $\mathsf {Enc} _k$ and $\mathsf {Dec} _k$ (as CPTP maps) never grants quantum oracle access to the underlying classical primitive. Of course, one could grant the adversary more powerful oracles that do grant this kind of access, and then quantum-oracle-secure primitives (such as $\mathsf {QPRF} $s) would indeed be required.

A Remark on Applicability. While all of our definitions apply to arbitrary quantum encryption schemes, security reductions sometimes require the following additional condition. As discussed in Sect. 3, all quantum encryption algorithms can be characterized as (1) drawing a random pure state from a probability distribution, (2) attaching it to the plaintext, and (3) applying a unitary operator. For the implication $\mathsf {QAE}$ $\Rightarrow \mathsf {cQCA} $ of Theorem 4 to hold, it is required that (1), (2) and (3) are efficiently implementable. This condition holds for all schemes known to us. However, it is in principle possible that there are schemes for which $\mathsf {Enc} _k$ is efficiently implementable, but the particular implementation “(1), then (2), then (3)” is not. We leave this as an open problem.

2 Preliminaries

Basic Notation and Conventions. In the rest of this work, we use “classical” to denote “non-quantum”, “iff” for “if and only if”, and $n$ to denote the security parameter. A function $\varepsilon (n)$ is negligible (denoted $\varepsilon (n) \le {\text {negl}} (n)$) if it is asymptotically smaller than $1/p(n)$ for every polynomial function p. The notation means that x is a sample from the uniform distribution over the set X. By “PPT” we mean a polynomial-time uniform family of probabilistic circuits, and by “QPT” we mean a polynomial-time uniform family of quantum circuits. We will frequently give such algorithms names like “adversary” or “challenger,” but this is only to help remember the role of the algorithm.

For notation and conventions regarding quantum information, we refer the reader to [26]. We recall a few basics here. We denote by $\mathcal {H}_M$ a complex Hilbert space with label M and finite dimension $\dim M$. We use the standard bra-ket notation to work with pure states $| \varphi \rangle \in \mathcal {H}_M$. The class of positive, Hermitian, trace-one linear operators on $\mathcal {H}_M$ is denoted by $\mathfrak D (\mathcal {H}_M)$. A quantum register is a physical system whose set of valid states is $\mathfrak D (\mathcal {H}_M)$; in this case we label by M the register itself. We reserve the notation $\tau _M$ for the maximally mixed state (i.e., uniform classical distribution) $\mathbbm {1}/ \dim M$ on M.

In a typical cryptographic scenario, a “quantum register M” is in fact an infinite family of registers $\{M_n\}_{n \in \mathbb {N}}$ consisting of p(n) qubits, where p is some fixed polynomial. This family is parameterized by n, which is typically also the security parameter. We will consider completely positive (CP), trace-preserving (TP) maps (i.e., quantum channels) when describing quantum algorithms. To indicate that $\varPhi $ is a channel from register A to B, we will write $\varPhi _{A \rightarrow B}$. When it helps to clarify notation, we will use $\circ $ to denote composition of operators. We will also often drop tensor products with the identity, e.g., given a map $\varPsi _{BC \rightarrow D}$, we will write $\varPsi \circ \varPhi $ to denote the map $\varPsi \circ (\varPhi \otimes \mathbbm {1}_C)$ from AC to D.

The support of a quantum state $\varrho $ is its cokernel (as a linear operator). Equivalently, this is the span of the pure states making up any decomposition of $\varrho $ as a convex combination of pure states. We will denote the orthogonal projection operator onto this subspace by $P_\varrho $. The two-outcome projective measurement (to test if a state has the same or different support as $\varrho $) is then $\{P_\varrho , \mathbbm {1}-P_\varrho \}$.

Next, we single out some unitary operators that will appear frequently. First, the group of n-qubit operators generated by Paulis I, X, Y, Z (applied to individual qubits) is a well-known unitary one-design. The Clifford group on n qubits is defined to be the normalizer of the Pauli group inside the unitary group. It can also be seen as the group generated by the gate set (H, P, CNOT) [22]; it is also a unitary two-design [16].

A unitary t-design (for a fixed t) is an infinite collection $\mathcal U = \{\mathcal U^{(n)} : n \in \mathbb {N}\}$, where $\mathcal U^{(n)}$ forms an n-qubit unitary t-design in the standard sense, i.e.,

$$\begin{aligned} \frac{1}{|\mathcal U^{(n)}|}\sum _{U\,\in \,{\mathcal U}^{(n)}}U^{\otimes t}X\left( U^\dagger \right) ^{\otimes t} = \int U^{\otimes t}X\left( U^\dagger \right) ^{\otimes t} dU\,. \end{aligned}$$

(1)

In the above, the integral is taken over the n-qubit unitary group according to the Haar measure. We assume that there is an explicit polynomial function m(n) and a deterministic polynomial-time algorithm which, given $1^n$ and , produces a circuit for a unitary operator $U_{k, n}$ which is distributed uniformly at random in $\mathcal U^{(n)}$. We will not refer to this algorithm explicitly and will simply write $\{U_{k, n} : k \in \{0,1\}^{m(n)}\}$ for the resulting distribution on unitary operators; we will also frequently suppress one index and write $U_k$ when n is clear from context. We refer to the polynomial m as the key length of the t-design. Standard examples are: (i) the Pauli one-design (where we apply $X^aZ^b$ to each qubit for random $a, b \in \{0,1\}$) is a unitary one-design on n qubits with key length 2n; (ii) the Clifford group (where we apply a uniformly random element of the n-qubit Clifford group, efficiently generated via the Gottesman-Knill theorem [1]) is a unitary 3-design, and therefore in particular a unitary 2-design, on n qubits with key length $O(n^2)$; (iii) random ${\text {poly}}(t, n)$-size quantum circuits, randomly generated from a universal gate set, are approximate t-designs on n qubits [13].

In this work, we will only require one-designs and two-designs, and we will assume for simplicity that the designs are exact. While approximate designs would also suffice, some additional (but straightforward) analysis would be required.

Quantum Encryption. We will follow the conventions set in [3]; the exception is that decryption can reject by outputting a special symbol $\bot $.

Definition 1

A symmetric-key quantum encryption scheme (or ${\mathsf {SKQES}}$) is a triple of QPT algorithms:

1.
(key generation)^{Footnote 1} $\mathsf {KeyGen}:$ on input $1^n$, outputs
2.
(encryption) $\mathsf {Enc}: \mathcal {K} \times \mathfrak D (\mathcal H _M) \rightarrow \mathfrak D (\mathcal H _C)$
3.
(decryption) $\mathsf {Dec}: \mathcal {K} \times \mathfrak D (\mathcal H _C) \rightarrow \mathfrak D (\mathcal H _M \oplus \left| \bot \right\rangle \left\langle \bot \right| )$

such that $\Vert \mathsf {Dec} _k \circ \mathsf {Enc} _k - \mathbbm {1}_M \oplus 0_\bot \Vert _\diamond \le {\text {negl}} (n)$ for all $k \in \mathbf{supp} ~ \mathsf {KeyGen} (1^n)$.

It is implicit that the key space $\mathcal {K} $ is classical and of size ${\text {poly}}(n)$; likewise, the registers C and M are quantum registers of at most ${\text {poly}}(n)$ qubits. We will only consider $\textsf {SKQES}$ of fixed-length, meaning that the number of qubits in M is a fixed function of the security parameter n. We assume that honest parties will apply the measurement $\{\varPi _\bot , \mathbbm {1}- \varPi _\bot \}$ (where $\varPi _\bot = \left| \bot \right\rangle \left\langle \bot \right| $) immediately after decryption. This allows us to write, e.g., $\mathsf {Dec} _k(\varrho ) \ne \bot $ to mean that decryption (followed by this measurement) successfully produced a valid plaintext.

We will often combine quantum schemes with classical (keyed) function families. A keyed function family consists of functions $f:\{0,1\}^{p(n)} \times \{0,1\}^{q(n)} \rightarrow \{0,1\}^{s(n)}$ where p, q, s are polynomials in n. In typical usage, we sample a key and then consider the restricted function $f_k : \{0,1\}^{q(n)} \rightarrow \{0,1\}^{s(n)}$ defined by $f_k(x) = f(k, x)$. All keyed function families are assumed to be computable by a deterministic polynomial-time uniform classical algorithm.

Definition 2

Let $\varPi = (\mathsf {KeyGen} ^\varPi , \mathsf {Enc} ^\varPi , \mathsf {Dec} ^\varPi )$ be a $\textsf {SKQES}$, and $f:\{0,1\}^{p(n)} \times \{0,1\}^{q(n)} \rightarrow \{0,1\}^{s(n)}$ a classical keyed function family. Define a new $\textsf {SKQES}$ $\varPi ^f = (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ as follows:

1.
$\mathsf {KeyGen}:$ on input $1^n$, outputs ;
2.
$\mathsf {Enc} _k:$ on input $\varrho $, outputs $| r \rangle \langle r | \otimes \mathsf {Enc} ^\varPi _{f_k(r)}(\varrho )$, where ;
3.
$\mathsf {Dec} _k: \left| s\right\rangle \left\langle s\right| \otimes \sigma \mapsto \mathsf {Dec} ^\varPi _{f_k(s)}(\sigma )$.

We extend $\mathsf {Dec} _k$ to arbitrary inputs by postulating that it begins by measuring the first register in the computational basis. Note that $\varPi ^f$ has plaintext length t(s(n)) where t(.) is the plaintext length of $\varPi $ as a function of $\varPi $’s key length. This construction can be extended to schemes $\varPi $ with a non-uniform key by using the output of the keyed function family as a random tape for $\mathsf {KeyGen} ^\varPi $.

Quantum Secrecy. The literature contains a number of information-theoretic definitions of quantum secrecy (see, e.g., [3, 6, 7, 14]). It is well-known that a unitary one-design (e.g., the Pauli group) is an information-theoretically secret scheme. In this work, however, we focus on the computational setting [3, 14].

Definition 3

$\mathbf{(}\mathsf {QIND}$). A $\textsf {SKQES} $ $\varPi = (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ has indistinguishable encryptions (or is $\mathsf {QIND}$) if for every QPT adversary $\mathcal {A} =(\mathcal {M},\mathcal {D})$ we have:

$$ \Bigl | \Pr \bigl [ \mathcal {D} \big \{ (\mathsf {Enc} _k \otimes \mathbbm {1}_E) \varrho _{ME} \big \} = 1 \bigr ] - \Pr \bigl [ \mathcal {D} \big \{ (\mathsf {Enc} _k \otimes \mathbbm {1}_E) (\left| 0\right\rangle \left\langle 0\right| _M \otimes \varrho _E) \big \} = 1 \bigr ] \Bigr | \le {\text {negl}} (n), $$

where $\varrho _{ME} \leftarrow \mathcal {M} (1^n)$, $\varrho _E = \mathrm {Tr}_M(\varrho _{ME})$, and the probabilities are taken over $k \leftarrow \mathsf {KeyGen} (1^n)$ and the coins and measurements of $\mathsf {Enc}$, $\mathcal {M} $, $\mathcal {D} $. We also define:

$\mathsf {QIND\text {-}CPA}$: In addition to the above, $\mathcal {M} $ and $\mathcal {D} $ have oracle access to $\mathsf {Enc} _k$.
$\mathsf {QIND\text {-}CCA1}$: In addition to $\mathsf {QIND\text {-}CPA}$, $\mathcal {M} $ has oracle access to $\mathsf {Dec} _k$.

Recall that a $\mathsf {pqPRF}$ (post-quantum pseudorandom function) is a classical, deterministic, efficiently computable keyed function family $\{f_k\}_k$ which appears random to QPT algorithms with classical oracle access to $f_k$ for uniformly random k. The strongest notion ($\mathsf {QIND\text {-}CCA1}$) is satisfied by $\varPi ^f$ where $\varPi $ is a one-design and f is a $\mathsf {pqPRF}$ [3]. We let $\mathsf {1des^{PRF}}$ denote such schemes.

One-Time Authentication. We recall quantum authentication as defined by Dupuis et al. [19], and adapt it to our conventions. Given an attack map $\varLambda _{CB \rightarrow C\tilde{B}}$ on a scheme $\varPi = (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ (where the adversary holds B and $\tilde{B}$), we define the “averaged effective plaintext map” (or just “effective map”) as follows.

$$\begin{aligned} \varLambda ^\varPi _{MB\rightarrow M\tilde{B}} := \mathbb {E}_{\,k \leftarrow \mathsf {KeyGen} (1^n)} \left[ \mathsf {Dec} _k \circ \varLambda \circ \mathsf {Enc} _k\right] \,. \end{aligned}$$

We then require that, conditioned on acceptance, this map is the identity on M.

Definition 4

([19]). A $\textsf {SKQES} $ $\varPi = (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ is $\mathsf {DNS}$-authenticating if, for any CP-map $\varLambda _{CB\rightarrow C\tilde{B}}$, there exist CP-maps $\varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}}$ and $\varLambda ^{\mathsf {rej}}_{B\rightarrow \tilde{B}}$ that sum to a TP map, such that

$$\begin{aligned} \left\| \varLambda ^\varPi _{MB\rightarrow M\tilde{B}} - \left( \mathrm {id}_M\otimes \varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}} + |\bot \rangle \langle \bot |_M\otimes \varLambda ^{\mathsf {rej}}_{B\rightarrow \tilde{B}}\right) \right\| _\diamond \le {\text {negl}} (n)\,. \end{aligned}$$

(2)

An important observation is that this definition only provides for authentication of the plaintext state. To see that this cannot be “ciphertext authentication,” simply take a scheme which is $\mathsf {DNS}$ and change it so that (i) an extra bit is added to the ciphertext during encryption, and (ii) that same bit is ignored during decryption. The resulting scheme still satisfies $\mathsf {DNS}$, but the adversary can clearly forge ciphertexts by flipping the extra bit. A perhaps more compelling example just adds encoding (in some QEC code) after encryption, and decoding prior to decryption. The adversary is then free to modify ciphertexts with correctable errors without violating $\mathsf {DNS}$. We remark that, in this respect, the recent strengthening of $\mathsf {DNS}$ due to Garg et al. [21] is no different: a scheme secure according to this stronger notion of authentication can be modified in the same way without losing security.

Next, we recall a standard one-time authentication scheme. We encrypt by appending n “tag” qubits in the fixed state $| 0 \rangle $ and then applying a random element of a 2-design. Decryption first undoes the 2-design, then outputs the plaintext iff all tag qubits measure to 0; otherwise it outputs $\bot $.

Scheme 1

The scheme family $\mathsf {2desTag}$ is defined as follows. Select a unitary 2-design $\mathcal U$ with key length $m(\cdot )$, and define algorithms:

1.
$\mathsf {KeyGen} $: on input $1^n$, output ;
2.
$\mathsf {Enc} _k$: on input $\varrho _M$, output $U_k(\varrho _M \otimes \left| 0^n\right\rangle \left\langle 0^n\right| _T)U^\dagger _k$
3.
$\mathsf {Dec} _k$: on input $\sigma _{MT}$, output
$$ \langle 0^n |_TU_k^\dagger \sigma _{MT} U_k| 0^n \rangle _T + \mathrm {Tr}\bigl [(\mathbbm {1}-\left| 0^n\right\rangle \left\langle 0^n\right| _T)U_k^\dagger \sigma _{MT} U_k\bigr ]\left| \bot \right\rangle \left\langle \bot \right| _M\,. $$

We chose $\mathsf {2desTag} $ to have plaintext and tag length n. It is well-known that, for plaintexts of at most polynomial length and tags of length at least $n^c$, these schemes are $\mathsf {DNS}$-authenticating [2, 19].

3 One-Time Ciphertext Authentication

One-time quantum authentication has been extensively studied [5, 9, 15, 18, 19, 21]. As we observed above, all of these works concern plaintext authentication, which ensures that manipulated ciphertexts decrypt to either the original plaintext or the reject symbol. Classical MACs, on the other hand, provide ciphertext authentication, which ensures that any ciphertext manipulation whatsoever will result in rejection. This distinction is important; for instance, in classical $\mathsf {IND\text {-}CCA2}$, the adversary can defeat plaintext-authenticating schemes by invoking the decryption oracle on a modified challenge ciphertext.

In this section we show how to define and construct ciphertext authentication in the quantum setting. These ideas will be crucial to defining more advanced notions (such as ciphertext unforgeability and adaptive chosen-ciphertext security) later in the paper. We start with the information-theoretical security setting, and then we discuss how to apply these notions to the computational setting.

A Characterization of Encryption Schemes. We recall a lemma from [5] stating that all $\textsf {SKQES}$ encrypt by (i) attaching some (possibly key-dependent) auxiliary state, and (ii) applying a unitary^{Footnote 2} operator. Decryption undoes the unitary, and then checks if the support of the state in the auxiliary register has changed. We emphasize that this characterization follows from correctness only, and thus applies to all schemes.

Lemma 1

(Lemma B.9 in [5], restated). Let $\varPi =(\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ be a $\textsf {SKQES} $. Then $\mathsf {Enc} $ and $\mathsf {Dec} $ have the following form:

$$\begin{aligned}&\mathsf {Enc} _k(X_M) = V_k\left( X_M \otimes (\sigma _k)_T\right) V_k^\dagger \\&\mathsf {Dec} _k(Y_C) = \mathrm {Tr}_{T}\left[ P^{\sigma _k}_T \left( V_k^\dagger Y_CV_k\right) P^{\sigma _k}_T \right] +\hat{D}_k\left[ \bar{P}^{\sigma _k}_T \left( V_k^\dagger Y_C V_k\right) \bar{P}^{\sigma _k}_T\right] . \end{aligned}$$

Here, $\sigma _k$ is a state on register T, $P^{\sigma _k}_T$ and $\bar{P}^{\sigma _k}_T$ are the orthogonal projectors onto the support of $\sigma ^{(k)}$ (see Sect. 2) and its complement (respectively), $V_k$ is a unitary operator, and $\hat{D}_k$ is a channel.

In practice, $\hat{D}_k$ (i.e., the map that is applied to any ciphertext outside of the range of $\mathsf {Enc} _k$) will just discard the state and replace it with $\bot $. Let us explain how the schemes we have seen so far fit into this characterization. For $\mathsf {2desTag} $, $\sigma _k$ is simply the (key-independent) pure state $|0^n\rangle \langle 0^n|_T$, $V_k$ is the unitary operator of the two-design corresponding to key k, $P^{\sigma _k} = |0^n\rangle \langle 0^n|$, and $\hat{D}_k$ replaces the state with $\bot $. For $\mathsf {1des^{PRF}} $, $\sigma _k$ is the maximally mixed state $\tau $ (i.e., the classical randomness r from Definition 2), and $V_k$ is the controlled-unitary which applies a quantum one-time pad on the first register, controlled on the contents of the second register (using the $\mathsf {pqPRF} $ f), i.e., $| x \rangle | r \rangle \mapsto P_{f_k(r)}| x \rangle | r \rangle $. Decryption undoes the controlled unitary and never rejects, i.e., $P^{\sigma _k} = \mathbbm {1}$. This corresponds to the fact that $\tau $ has full support.

By considering the spectral decomposition of the state $\sigma _k$ from Lemma 1, it is straightforward to show that encryption can always be implemented using unitary operators and only classical randomness. We state this fact as follows.

Corollary 1

Let $\varPi =(\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ be a $\textsf {SKQES} $. Then for every k, there exists a probability distribution $p_k:\{0,1\}^t\rightarrow [0,1]$ and a family of quantum states $| \psi ^{(k,r)} \rangle _T$ such that $\mathsf {Enc} _k$ is equivalent to the following algorithm:

1.
sample $r \in \{0,1\}^t$ according to $p_k$;
2.
apply the following map: $\mathsf {Enc} _{k;r}(X_M) =V_k \left( X_M \otimes |\psi ^{(k,r)}\rangle \langle \psi ^{(k,r)}|_T \right) V_k^{\dagger }$.

Here $V_k$ and T are defined as in Lemma 1, and t is the number of qubits in T.

For example, in the case of $\mathsf {2desTag}$, the distribution is a point distribution and $| \psi ^{(k, r)} \rangle = | 0^t \rangle $. In $\mathsf {1des^{PRF}} $, the distribution is uniform and $| \psi ^{(k, r)} \rangle = | r \rangle $.

It is important to remark here that, even if $\mathsf {Enc} _k$ is a polynomial-time algorithm, the functionally-equivalent algorithm provided by Corollary 1 may not be. We thus define the following.

Condition 1

Let $\varPi $ be a $\textsf {SKQES}$, and let $p_k$, $| \psi ^{(k, r)} \rangle $ and $V_k$ be as given in Corollary 1. We say that $\varPi $ satisfies Condition 1 if there exist efficient quantum algorithms for (i) sampling from $p_k$, (ii) preparing $| \psi ^{(k, r)} \rangle $, and (iii) implementing $V_k$, and this holds for all but a negligible fraction of k and r.

We are not aware of any examples of $\textsf {SKQES}$ that violate Condition 1. In fact, in all schemes we will consider (including all schemes constructed via Definition 2), the distribution $p_k$ and the states $| \psi ^{(k, r)} \rangle $ are trivial to prepare, and the unitaries $V_k$ are implementable by poly-size quantum circuits. In any case, when Condition 1 is required for a particular result, we will state this explicitly.

Defining Ciphertext Authentication. We begin by outlining our approach. Fix an encryption scheme $\varPi $ with plaintext register M and ciphertext register C. Let $\varLambda _{CB\rightarrow C\tilde{B}}$ be an attack map. Intuitively, we would like to decide whether to accept or reject conditioned on whether $\varLambda $ has changed the ciphertext. A possible approach would be to use the simulator from Theorem 5.1 in [15]: in the case of acceptance, this simulator^{Footnote 3} ensures that $\varLambda $ is equivalent to $\mathbbm {1}_C \otimes \varPhi $ for some side-information map $\varPhi _{B \rightarrow \tilde{B}}$. While this approach is on the right track, it is unnecessarily strong as a definition of security: it prevents the adversary from even looking at (or copying) classical parts of the ciphertext! This would place strange requirements on encryption. It would disallow constant classical messages (e.g., “begin PGP message”) accompanying ciphertexts. It would also disallow a large class of natural schemes, including all schemes $\varPi ^f$ from Sect. 2. This class has many schemes that (intuitively speaking) should be adequate for authenticating poly-many quantum ciphertexts, such as the case where $\varPi $ applies a random unitary and f is a random function.

The key to finding the middle ground lies in Corollary 1: any scheme can be decomposed in a way that enables us to check separately whether the identity has been applied to the quantum part, and whether the classical register has changed. In effect, this will amount to an additional constraint over $\mathsf {DNS}$-authentication^{Footnote 4} (Definition 4), demanding extra structure from the simulator.

Recall that an attack $\varLambda _{CB \rightarrow C\tilde{B}}$ on the scheme $\varPi $ defines the averaged effective plaintext map $\varLambda ^\varPi _{MB\rightarrow M\tilde{B}} = \mathbb {E}_k[ \mathsf {Dec} _k \circ \varLambda \circ \mathsf {Enc} _k]$. We define ciphertext authentication as follows, using notation from Lemma 1 and Corollary 1.

Definition 5

A $\textsf {SKQES}$ $\varPi =(\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ is ciphertext authenticating, or $\mathsf {QCA}$, if for all CP-maps $\varLambda _{CB\rightarrow C\tilde{B}}$, there exists a CP-map $\varLambda ^{\mathsf {rej}}_{B\rightarrow \tilde{B}}$ such that:

$$\begin{aligned} \left\| \varLambda ^\varPi _{MB\rightarrow M\tilde{B}} - \left( \mathrm {id}_M\otimes \varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}} + |\bot \rangle \langle \bot |_M\otimes \varLambda ^{\mathsf {rej}}_{B\rightarrow \tilde{B}}\right) \right\| _\diamond \le {\text {negl}} (n), \end{aligned}$$

(3)

and $\varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}}+\varLambda ^{\mathsf {rej}}_{B\rightarrow \tilde{B}}$ is TP. Here $\varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}}$ is given by:

$$\begin{aligned} \varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}} (Z_B) =\mathbb {E}_{k,r}\left[ \langle \varPhi _{k, r} | V_k^\dagger \varLambda \left( \mathsf {Enc} _{k;r}\left( \phi ^+_{MM'} \otimes Z_B \right) \right) V_k| \varPhi _{k, r} \rangle \right] \end{aligned}$$

(4)

where $| \varPhi _{k, r} \rangle = | \phi ^+ \rangle _{MM'}\otimes | \psi ^{(k,r)} \rangle _T.$

Condition (3) is simply $\mathsf {DNS}$. It ensures that, in the accept case, the adversary performs the identity on the plaintext. Condition (4) demands that the rest of the action (i.e., on the side-information) is well-simulated by the following:

1.
prepare a maximally entangled state $\phi ^+_{MM'}$ and attach it to the input B;
2.
run encryption, saving the classical randomness r used (meaning that the tag register T was prepared in the state $| \psi ^{(k, r)} \rangle $);
3.
apply decryption while conditioning on (i) the plaintext still being maximally entangled with $M'$, and (ii) register T still containing $| \psi ^{(k, r)} \rangle $;
4.
output the contents of $\tilde{B}$.

Note that this definition only adds further constraints to $\mathsf {DNS}$. Recalling that $\mathsf {DNS}$ implies $\mathsf {QIND}$ [9, 21], we thus have the following.

Theorem 7

If a $\textsf {SKQES}$ is $\mathsf {QCA}$, then it is also $\mathsf {DNS}$; in particular, it is $\mathsf {QIND}$.

It is not difficult to see that the security proof in Theorem 5.1 of [15] (for establishing $\mathsf {DNS}$ of the Clifford scheme) actually applies to arbitrary 2-designs, and in fact proves $\mathsf {QCA}$ and not only $\mathsf {DNS}$. We thus have that the scheme $\mathsf {2desTag}$ fulfills ciphertext authentication. For details on the separation between $\mathsf {QCA}$ and $\mathsf {DNS}$, see the appendix of the full version of this paper [4].

Computational-Security Variant. We now briefly record a computational-security variant of one-time ciphertext authentication, which simply requires that all elements in Definition 5 are efficient.

Definition 6

A $\textsf {SKQES}$ $\varPi =(\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ is computationally ciphertext authenticating ($\mathsf {cQCA}$) if, for any efficiently implementable attack map $\varLambda _{CB\rightarrow C\tilde{B}}$, the effective attack $\tilde{\varLambda }_{MB\rightarrow M \tilde{B}}$ is computationally indistinguishable from the simulator:

$$\begin{aligned} \varLambda ^{\mathrm {sim}}_{MB\rightarrow M\tilde{B}}=\mathrm {id}_M\otimes \varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}}+|\bot \rangle \langle \bot |_M\otimes \varLambda ^{\mathsf {reject}}_{B\rightarrow \tilde{B}}. \end{aligned}$$

(5)

Here the simulator is given by:

$$\begin{aligned} \varLambda ^{\mathsf {acc}}_{B\rightarrow \tilde{B}}&=\mathbb {E}_{k,r}\left[ \langle \varPhi _{k, r} | V_k^\dagger \varLambda \left( \mathsf {Enc} _{k;r}\left( \phi ^+_{MM'}\otimes (\cdot )_B\right) \right) V_k| \varPhi _{k, r} \rangle \right] ~ and\nonumber \\ \varLambda ^{\mathsf {reject}}_{B\rightarrow \tilde{B}}&=\mathbb {E}_{k,r}\left[ \mathrm {Tr}\left( \mathbbm {1}-|\varPhi _{k, r}\rangle \langle \varPhi _{k, r}|\right) V_k^\dagger \varLambda \left( \mathsf {Enc} _{k;r}\left( \phi ^+_{MM'}\otimes (\cdot )_B\right) \right) V_k\right] , \end{aligned}$$

(6)

where: $| \varPhi _{k, r} \rangle = | \phi ^+ \rangle _{MM'}\otimes | \psi ^{(k,r)} \rangle _T.$

Because we fix the form of the simulator in the reject case, the simulator is efficiently implementable just as in [15] for schemes that satisfy Condition 1. It is straightforward to define a computational variant of $\mathsf {DNS}$ [15], which we denote by $\mathsf {cDNS}$. Given that Theorem 7 only talks about computationally bounded quantum adversaries, it also applies to $\mathsf {cDNS}$. In particular we have the following.

Proposition 1

If a $\textsf {SKQES}$ is $\mathsf {cQCA}$, then it is also $\mathsf {cDNS}$; in particular, it satisfies $\mathsf {QIND}$.

4 Quantum Unforgeability

Translating the standard classical intuition of ciphertext unforgeability to the quantum setting appears nontrivial. As we develop our approach, it will be useful to keep in mind a “prototype” scheme that should (intuitively) satisfy quantum unforgeability against a polynomial-time adversary making an arbitrary number of queries. This is the scheme $\mathsf {2desTag} ^\mathsf {PRF} $, which encrypts via:

$$ \mathsf {Enc} _k ( \varrho ) = U_{f_k(r)} \left( \varrho \otimes \left| 0^n\right\rangle \left\langle 0^n\right| \right) U_{f_k(r)}^\dagger \otimes \left| r\right\rangle \left\langle r\right| $$

where k is a key for the $\mathsf {pqPRF} $ f and r is randomness selected freshly for each encryption. This scheme is characterized (via Lemma 1) by the key-independent “tag state” $\left| 0^n\right\rangle \left\langle 0^n\right| \otimes \tau $ (where $\tau $ is the maximally mixed state) and the unitary $V_k$ which applies $U_{f_k(\cdot )}$ on the first two registers, controlled on the third register (i.e., the randomness r).

To see why this scheme should be unforgeable, assume for the moment that $U_s$ is a Haar-random unitary and $f_k$ is a perfectly random function. Intuitively, from the point of view of the adversary, each plaintext is mapped into a subspace which is fresh, independent, random, and exponentially-small as a fraction of the total dimension (of the ciphertext space). Security should then reduce to the security of multiple uses of a $\mathsf {QCA}$ one-time scheme, each time with a freshly generated key. We will carefully formalize this intuition in a later section.

Formal Definitions. Our definition will compare the performance of an adversary in two games: an unrestricted forgery game, and a cheat-detecting game. Fix an $\textsf {SKQES}$ $\varPi = (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ and let $\mathcal {A} $ be an adversary in the following.

Experiment 1

The $\mathsf {QUF\text {-}Forge} (\varPi , \mathcal A, n)$ experiment:

We will think about this experiment as taking place between the adversary $\mathcal {A} $ and a challenger $\mathcal C$, who generates the key k, answers the queries of $\mathcal {A} $, and then decrypts to see the outcome of the game.

We now consider a different experiment where $\mathcal C$ attempts to check $\mathcal {A} $ for cheating. We will make use of the maximally entangled state $| \phi ^+ \rangle _{M'M''}$ on two copies ($M'$ and $M''$) of the plaintext register, and the corresponding measurement $\{\varPi ^+_{M'M''}, \mathbbm {1}- \varPi ^+_{M'M''}\}$. We will also need a measurement that will help $\mathcal C$ identify previously generated ciphertexts. Recall from Sect. 3 that correctness implies that $\mathsf {Enc} $ can be written in the form $\mathsf {Enc} _k(X)=V_k\bigl (X_M\otimes \sigma _k \bigr )V_k^\dagger $ where $\sigma ^{(k)}_T=\sum _r p_k(r) \varPi _{k, r}$ and $\varPi _{k, r} = |\psi ^{(k,r)}\rangle \langle \psi ^{(k,r)}|_T$. This also defines, for each (k, r), the two-outcome measurement $\{\varPi _{k, r}, \mathbbm {1}- \varPi _{k, r}\}$. In all these two-outcome measurements, we denote the first outcome by 0 and the second outcome by 1. Notice that these projectors commute, as $| \psi ^{(k,r)} \rangle _T$ are elements of an orthonormal basis of eigenvectors.

Experiment 2

The $\mathsf {QUF\text {-}Cheat} (\varPi , \mathcal {A}, n)$ experiment:

Note that the experiment always outputs $\mathsf {reject}$ if $\mathcal {A} $ makes no queries. We emphasize that $\mathcal C$ is a fixed algorithm defined by the security game and the properties of $\varPi $. The challenger is efficient if the states $|\psi ^{(k,r)}\rangle \langle \psi ^{(k,r)}|$ and the unitary $V_k$ are efficiently implementable and the probability distribution $p_k$ is efficiently sampleable. We believe this is not a significant constraint. It is easily satisfied in all schemes we are aware of. Moreover, in light of Lemma 1, it seems unlikely that any reasonable form of ciphertext unforgeability can be defined without this requirement. We are now ready to define security.

Definition 7

A $\textsf {SKQES} $ $\varPi $ has unforgeable ciphertexts (or is $\mathsf {QUF} $) if, for all QPT adversaries $\mathcal {A} $, it holds:

$$ \left| \Pr [\mathsf {QUF\text {-}Forge} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {win} ] - \Pr [\mathsf {QUF\text {-}Cheat} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {cheat} ]\right| \le {\text {negl}} (n)\,. $$

It is straightforward to adapt the above definition to the bounded-query setting, where we fix some positive integer t (at scheme design time) and demand that adversaries can make no more than t queries. We call the resulting notion $\mathsf {QUF} _t$. One then has the obvious implications $\mathsf {QUF} \Rightarrow \mathsf {QUF} _t \Rightarrow \mathsf {QUF} _{t-1} \forall \, t \in \mathbb {N}$.

Let us briefly discuss a potential concern with these definitions. Consider the repeated measurements applied to the adversary’s final output $C_\textsf {out}$ (Line 6 and Line 8) in $\mathsf {QUF\text {-}Cheat}$. The first measurement simply compares the randomness of $C_\textsf {out}$ to that of previously generated ciphertexts. Such measurements will not disturb properly-formed ciphertexts at all, and malformed ones will not affect our security definition. The second measurement actually measures the plaintext register M, and thus might (a priori) appear to be concerning. Indeed, if multiple such measurements are applied to M, this might open up a vulnerability to attacks. As it turns out, this is not a problem. We will shortly show (see Theorem 8 below) that $\mathsf {QUF}$ implies $\mathsf {QIND\text {-}CPA}$. For $\mathsf {QIND\text {-}CPA}$ schemes, any given random string r is only chosen with negligible probability at encryption time (if not, querying the encryption oracle a polynomial number of times with the challenge plaintext would be enough to compromise security). It follows that, with overwhelming probability, the random strings chosen in the different oracle calls in $\mathsf {QUF\text {-}Cheat}$ are pairwise distinct. This, in turn, implies that the measurement in Line 8 is applied at most once in a given run of the experiment.

Relationship to Other Security Notions. It is well-known that even one-time quantum authentication implies $\mathsf {QIND}$ secrecy [9]. As we now show, $\mathsf {QUF}$ implies an even stronger notion of secrecy, $\mathsf {QIND\text {-}CPA}$. This is a significant departure from classical unforgeability, which is completely independent of secrecy.

Theorem 8

If a $\textsf {SKQES}$ satisfies $\mathsf {QUF}$, then it also satisfies $\mathsf {QIND\text {-}CPA}$.

Proof

Let $\varPi $ be a $\textsf {SKQES} $, and let $\mathcal {A} $ be an adversary winning $\mathsf {QIND\text {-}CPA} $ with non-negligible advantage $\nu $ over guessing, with pre-challenge algorithm $\mathcal {A} _1$ and post-challenge algorithm $\mathcal {A} _2$. We will build an adversary $\mathcal {B} $ with black-box oracle access to $\mathcal {A} $, able to distinguish between the $\mathsf {QUF\text {-}Forge} $ game and the $\mathsf {QUF\text {-}Cheat} $ game with non-negligible advantage over guessing, as follows:

1.
$\mathcal {B} $ runs $\mathcal {A} _1(1^n)$, answering its queries using his own oracle $\mathcal O$;
2.
get registers M (challenge plaintext) and B (side information) from $\mathcal {A} _1$;
3.
choose a random bit ; if $b = 1$, then replace contents of M with a maximally-mixed state;
4.
invoke oracle $\mathcal O$ on M and place result in register C;
5.
run $\mathcal {A} _2$ on registers C and B, receiving output $b' \in \{0,1\}$;
6.
if $b = b'$, then output $\mathsf {real}$; else output $\mathsf {real}$ or $\mathsf {ideal}$ with equal probability.

Note that, if $\mathcal {B} $ is playing $\mathsf {QUF\text {-}Forge} $, then $\mathcal O = \mathsf {Enc} _k$ and we are faithfully simulating the $\mathsf {QIND\text {-}CPA} $ game for $\mathcal {A} $. It follows that $b = b'$ with probability at least $1/2 + \nu $. If $\mathcal {B} $ is playing $\mathsf {QUF\text {-}Cheat} $ instead, $\mathcal O$ discards its input (and replaces it with half of a maximally-entangled state) on every call. In that case, all inputs to $\mathcal {A} _1$ and $\mathcal {A} _2$ are completely uncorrelated with b, so that $b'=b$ with probability $1 \slash 2$. Therefore, $\mathcal {A} '$ will correctly guess the game it is playing in with non-negligible advantage.

Now it is easy to see how to use $\mathcal {B} $ to violate the main condition in the definition of $\mathsf {QUF} $ with the same distinguishing advantage. First, query the oracle once and store the output in register C. Next, run $\mathcal {B} $. If $\mathcal {B} $ outputs $\mathsf {real}$, then output the contents of C (achieving $\mathsf {win} $ in $\mathsf {QUF\text {-}Forge} $). Otherwise, output a random state in the ciphertext register (achieving $\mathsf {reject} $ in $\mathsf {QUF\text {-}Cheat} $). $\square $

We also study the restriction of the quantum notion $\mathsf {QUF}$ to the classical case, i.e., classical symmetric-key encryption schemes ($\textsf {SKES}$) vs classical adversaries. We denote this classical restriction by $\mathsf {UF}$. In this notion, the classical unrestricted forgery game $\mathsf {UF\text {-}Forge} $ is defined precisely as in Experiment 1. Regarding the quantum game $\mathsf {QUF\text {-}Cheat} $, notice that, in any classical scheme, one can apply ciphertext verification to a string c as follows: (i) make a copy $c'$ of c, (ii) decrypt c, (iii) if decryption rejected, output reject, and otherwise output $c'$. In other words, all classical encryption schemes automatically satisfy Condition 1. The appropriate classical restriction $\mathsf {UF\text {-}Cheat} $ of this game thus proceeds as Experiment 2, with two modifications: (i) in step 2:, $\mathcal C$ replaces the plaintext in register $M_j$ by a random plaintext, encrypts it, and stores a copy of the resulting ciphertext in $C_j$; and (ii) in step 4:, without decrypting, the game outputs $\mathsf {cheat} $ if the challenge ciphertext C equals any one of the saved $C_j$’s. We then have the following.

Definition 8

A $\textsf {SKES}$ $\varPi $ has unforgeable ciphertexts (or is $\mathsf {UF} $) if, for all PPT adversaries $\mathcal {A} $,

$$ \left| \Pr [\mathsf {UF\text {-}Forge} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {win} ] - \Pr [\mathsf {UF\text {-}Cheat} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {cheat} ]\right| \le {\text {negl}} (n)\,. $$

The proof of Theorem 8 carries over easily to the classical case. Moreover, one can show how $\mathsf {UF}$ implies the classical security notion of integrity of ciphertexts $\mathsf {INT\text {-}CTXT}$ [10], which states that no bounded adversary with oracle access to an encryption oracle can produce a ciphertext which is at the same time (i) valid, and (ii) fresh, i.e., never output by the oracle. Recall that, classically, it is known [10] that $\mathsf {INT\text {-}CTXT}$ plus $\mathsf {IND\text {-}CPA}$ defines authenticated encryption $\mathsf {AE}$. Therefore, the notion of unforgeability of ciphertexts, when restricted to the classical case, is at least as strong as authenticated encryption. However, one can also show the converse, i.e., $\mathsf {AE}$ implies $\mathsf {UF}$.

Theorem 9

$\mathsf {UF} \iff \mathsf {AE} $.

Proof

The first non-trivial part to prove is $\mathsf {UF} \implies \mathsf {INT\text {-}CTXT} $. Let $\varPi $ be an $\mathsf {INT\text {-}CTXT}$ insecure $\textsf {SKES}$. Then there exists an adversary $\mathcal {A}$ with oracle access to $\mathsf {Enc} _k$ which, with non-negligible probability $\nu $, outputs a ciphertext c which was never output by the encryption oracle. Define a PPT algorithm $\mathcal {B}$ with oracle access to $\mathsf {Enc} _k$, as follows. First, $\mathcal {B}$ executes $\mathcal {A}$ and records a list L of all $\mathsf {Enc} _k$’s answers $c_j$ output to $\mathcal {A}$. When $\mathcal {A}$ outputs a ciphertext c, if $c \in L$, $\mathcal {B}$ outputs a random ciphertext $c'$; else it outputs c. For $\mathcal {B}$, the success probabilities in the games defining $\mathsf {UF}$ are as follows:

in the $\mathsf {UF\text {-}Forge} $ experiment, since c is a fresh ciphertext with non-negligible probability $\nu $, $\mathcal {B}$ wins $\mathsf {UF\text {-}Forge}$ with probability at least $\nu $.
In $\mathsf {UF\text {-}Cheat} $ instead, whenever the ciphertext is not fresh, $\mathcal {B}$ replaces it with a random one, and hence only wins $\mathsf {UF\text {-}Cheat}$ with negligible probability.

The fact that a random ciphertext is invalid with overwhelming probability follows by considering an adversary that does not make any queries. So we have:

$$ \left| \Pr [\mathsf {UF\text {-}Forge} (\varPi , \mathcal {A} ', n) \rightarrow \mathsf {win} ] - \Pr [\mathsf {UF\text {-}Cheat} (\varPi , \mathcal {A} ', n) \rightarrow \mathsf {cheat} ]\right| \ge \nu , $$

and hence $\varPi $ cannot be $\mathsf {UF} $.

The other direction to prove is $\mathsf {AE} \implies \mathsf {UF} $. For this, we will use an equivalent characterization of $\mathsf {AE}$, also known in the literature as $\mathsf {IND\text {-}CCA3}$ [28]. In this definition, the adversary’s goal is to distinguish whether he’s playing in the $\mathsf {AE\text {-}Real}$ world, or in the $\mathsf {AE\text {-}Ideal}$ world. In the $\mathsf {AE\text {-}Real}$ world, the adversary can interact freely with an encryption oracle $\mathsf {Enc} _k$, and with a restricted decryption oracle $\mathsf {Dec} _k$ which always rejects ($\bot $) decryption queries over any ciphertext which was output by $\mathsf {Enc} _k$. In the $\mathsf {AE\text {-}Ideal}$ world, instead, the adversary is interacting with an oracle $\mathsf {Enc} _k(\$)$ (which ignores the input query, and always returns the encryption of a fresh random plaintext), and a constant $\bot $ oracle (which simulates the decryption oracle but always rejects any query). A scheme $\varPi $ is $\mathsf {AE}$ secure iff, for any adversary $\mathcal {A}$ it holds:

$$ \left| \Pr \left[ \mathsf {AE\text {-}Real} (\varPi ,\mathcal {A},n) \rightarrow 1 \right] - \Pr \left[ \mathsf {AE\text {-}Ideal} (\varPi ,\mathcal {A},n) \rightarrow 1 \right] \right| \le {\text {negl}} (n)\,. $$

Now, let $\mathcal {A}$ be a PPT adversary breaking $\mathsf {UF}$ for a scheme $\varPi $. This means that there exists a non-negligible function $\nu $ such that:

$$ \left| \Pr [\mathsf {UF\text {-}Forge} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {win} ] - \Pr [\mathsf {UF\text {-}Cheat} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {cheat} ]\right| \ge \nu (n)\,. $$

We use $\mathcal {A}$ to build an adversary $\mathcal {B}$ able to distinguish $\mathsf {AE\text {-}Real}$ from $\mathsf {AE\text {-}Ideal}$. The new adversary $\mathcal {B}$ runs $\mathcal {A}$ and forwards all of $\mathcal {A}$’s encryption queries to his own encryption oracle. Finally, when $\mathcal {A}$ outputs a ciphertext c, $\mathcal {B}$ queries his own decryption oracle on c, and looks at the oracle’s response. If the response is not $\bot $, then $\mathcal {B}$ returns $\mathsf {real}$, otherwise returns $\mathsf {real}$ or $\mathsf {ideal}$ with equal chance.

It is easy to see that $\mathcal {B}$ distinguishes $\mathsf {AE\text {-}Ideal}$ from $\mathsf {AE\text {-}Real}$ with non-negligible advantage at least $\nu /2$ over guessing. The reason is as follows. If $\mathcal {B}$ is in the $\mathsf {AE\text {-}Real}$ world (probability $1 \slash 2$), then he is correctly simulating for $\mathcal {A} $ the $\mathsf {UF\text {-}Forge}$ game. Since $\mathcal {A}$ breaks $\mathsf {UF}$ by assumption, it means that, with probability at least $\nu $, his output c will be a fresh valid ciphertext; in that case, also $\mathcal {B}$ wins. On the other hand, if the world is $\mathsf {AE\text {-}Ideal}$, $\mathcal {B}$ still wins with probability $1 \slash 2$. $\square $

This means that $\mathsf {UF}$ is actually another characterization of authenticated encryption. This is an interesting observation, given that $\mathsf {UF}$ comes from the classical restriction of a quantum notion “merely” concerning the unforgeability of ciphertexts. However, we stress that this equivalence only holds at the classical level, and that this is insufficient evidence to declare that $\mathsf {UF}$ serves the same purpose quantumly as $\mathsf {AE}$ does classically. In fact, in Sect. 6 we introduce a quantum analogue of $\mathsf {AE}$ which we call $\mathsf {QAE}$, and provide stronger evidence that the latter is in fact the correct analogue.

5 Quantum $\mathsf {IND\text {-}CCA2}$

Next, we move to the problem of defining adaptive chosen-ciphertext security for quantum encryption. In the usual classical formulation ($\mathsf {IND\text {-}CCA2}$), the adversary $\mathcal A$ receives both an encryption oracle and a decryption oracle for the entire duration of the indistinguishability game. To eliminate the trivial strategy, we do not permit $\mathcal A$ to query the decryption oracle on the challenge ciphertext. This last condition does not make sense in the quantum setting, for a number of reasons we’ve seen before: no-cloning prevents us from storing a copy of the challenge, measurement may destroy the states involved, and so on. However, our approach to defining unforgeability can be adapted to this case. The resulting notion of quantum indistinguishability under adaptive chosen-ciphertext attacks ($\mathsf {QIND\text {-}CCA2}$) can also be recast in the public-key quantum encryption setting.

Formal Definition. As before, we will compare the performance of the adversary in two games. In each case, the adversary $\mathcal {A} =(\mathcal A_1,\mathcal A_2)$ consists of two parts (pre-challenge and post-challenge), and is playing against the challenger $\mathcal C$, which is a fixed algorithm determined only by the security game and the scheme.

Experiment 3

The $\mathsf {QCCA2\text {-}Test} (\varPi , \mathcal A, n)$ experiment:

Notice that in this game there are no restrictions on the use of $\mathsf {Dec} _k$ by $\mathcal A_2$. In particular, $\mathcal A_2$ is free to decrypt the challenge. In the second game, the challenge plaintext is replaced by half of a maximally entangled state, and $\mathcal {A} $ only gains an advantage over guessing if he cheats, i.e., if he tries to decrypt the challenge.

Experiment 4

The $\mathsf {QCCA2\text {-}Fake} (\varPi , \mathcal A, n)$ experiment:

We now define quantum $\mathsf {IND\text {-}CCA2}$ in terms of the advantage gap of adversaries between the above two games.^{Footnote 5}

Definition 9

A $\textsf {SKQES} $ $\varPi $ is $\mathsf {QIND\text {-}CCA2}$ if, for all QPT adversaries $\mathcal {A} $,

$$ \Pr [\mathsf {QCCA2\text {-}Test} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {win} ] - \Pr [\mathsf {QCCA2\text {-}Fake} (\varPi , \mathcal {A}, n) \rightarrow \mathsf {cheat} ] \le {\text {negl}} (n)\,. $$

The omission of absolute values in the above is intentional. Indeed, an adversary can artificially inflate his cheating probability by querying the decryption oracle on the challenge and then ignoring the result. What he should not be able to do (against a secure scheme) is make his win probability larger than his cheating probability. We note that $\mathsf {QIND\text {-}CCA2}$ clearly implies $\mathsf {QIND\text {-}CCA1}$.

Proposition 2

$\mathsf {QIND\text {-}CCA2}\implies \mathsf {QIND\text {-}CCA1}$.

Proof

Suppose we have a scheme $\varPi $ which is not $\mathsf {QIND\text {-}CCA1}$, i.e., there exists an adversary $\mathcal {A} $ which wins the usual $\mathsf {QIND\text {-}CCA1}$ game with non-negligible advantage $\nu $ over guessing. Clearly $\mathcal {A} $ can also play the games $\mathsf {QCCA2\text {-}Test}$ and $\mathsf {QCCA2\text {-}Fake}$, but will not query the decryption oracle post-challenge. Note that $\mathcal {A} $ wins $\mathsf {QCCA2\text {-}Test}$ with probability $1/2 + \nu $, but is declared as cheating in $\mathsf {QCCA2\text {-}Fake}$ with probability exactly $1 \slash 2$. Hence $\varPi $ is not $\mathsf {QIND\text {-}CCA2}$. $\square $

Next, we show that the classical restriction of $\mathsf {QIND\text {-}CCA2}$ is equivalent to the classical security notion $\mathsf {IND\text {-}CCA2}$. We denote the classical restriction of $\mathsf {QIND\text {-}CCA2}$ by $\mathsf {IND\text {-}CCA2}'$. This is defined by adapting the replacement and verification procedure of the challenger in $\mathsf {QCCA2\text {-}Test}$ in the same way as when defining $\mathsf {UF}$. We denote the classical versions of the games $\mathsf {QCCA2\text {-}Test}$ and $\mathsf {QCCA2\text {-}Fake}$ by $\mathsf {CCA2\text {-}Test}$ and $\mathsf {CCA2\text {-}Fake}$, respectively.

Theorem 10

A $\textsf {SKES} $ $\varPi $ is $\mathsf {IND\text {-}CCA2}'$ iff it is $\mathsf {IND\text {-}CCA2}$.

Proof

Suppose first that $\mathcal {A} $ is an adversary breaking $\mathsf {IND\text {-}CCA2}$ $^\prime $, i.e., winning $\mathsf {CCA2\text {-}Test}$ with non-negligible advantage $\nu $ over the probability of winning $\mathsf {CCA2\text {-}Fake}$. We construct an adversary $\mathcal {A} '$, that runs $\mathcal {A} $, keeps a copy of the challenge ciphertext and aborts by giving a random answer whenever $\mathcal {A} $ is about to query the decryption oracle with the challenge ciphertext. Note that $\mathcal {A} '$ wins $\mathsf {CCA2\text {-}Fake}$ with probability exactly $1 \slash 2$. We call $\mathcal {A} '$ the self-checking version of $\mathcal {A} $. It is easy to show that $\mathcal {A} '$ wins the $\mathsf {CCA2\text {-}Test}$ game with probability at least $1/2+\nu $:

$$\begin{aligned}&\Pr \left[ \mathcal {A} '\text { wins }\mathsf {CCA2\text {-}Test} \right] \\ =\,&\Pr \left[ \mathcal {A} \text { wins }\mathsf {CCA2\text {-}Test} \wedge \mathcal {A} \text { does not cheat}\right] +\frac{1}{2}\Pr \left[ \mathcal {A} \text { cheats}\right] \\ \ge \,&\Pr \left[ \mathcal {A} \text { wins }\mathsf {CCA2\text {-}Test} \right] -\frac{1}{2}\Pr \left[ \mathcal {A} \text { cheats}\right] \\ \ge \,&\Pr \left[ \mathcal {A} \text { wins }\mathsf {CCA2\text {-}Fake} \right] +\frac{1}{\nu }-\frac{1}{2}\Pr \left[ \mathcal {A} \text { cheats}\right] = \frac{1}{2}+\nu \,. \end{aligned}$$

The first inequality is $\Pr [A\wedge B]\ge \Pr [A]-\Pr [\lnot B]$ and the second inequality is the assumption. But the $\mathsf {CCA2\text {-}Test}$ and $\mathsf {IND\text {-}CCA2}$ games are identical for adversaries that do not query the challenge, and $\mathcal {A} '$ has been constructed not to, i.e., $\mathcal {A} '$ wins the $\mathsf {IND\text {-}CCA2}$ game with probability $1/2+\nu $.

For the other direction, let $\mathcal {A} $ be an adversary that wins the $\mathsf {IND\text {-}CCA2}$ game with non-negligible advantage. Let $\mathcal {A} '$ be the self-checking version of $\mathcal {A} $. Note that $\mathcal {A} $ and $\mathcal {A} '$ behave the same in both the $\mathsf {IND\text {-}CCA2}$ and $\mathsf {CCA2\text {-}Test}$ games, as $\mathcal {A} $ never submits the challenge ciphertext there by assumption. In the $\mathsf {CCA2\text {-}Fake}$ game, however, $\mathcal {A} $ could, in principle, query the oracle with the challenge ciphertext, which is why we have to resort to the use of $\mathcal {A} '$. The latter is a successful adversary for $\mathsf {IND\text {-}CCA2}'$: It wins the $\mathsf {CCA2\text {-}Test} $ game with non-negligible advantage over random guessing by assumption, but it wins the $\mathsf {CCA2\text {-}Fake}$ game with probability exactly $\frac{1}{2}$. $\square $

6 Quantum Authenticated Encryption

In the classical setting, authenticated encryption ($\mathsf {AE}$) is defined as $\mathsf {IND\text {-}CCA2}$ and unforgeability of ciphertexts (see Definition 4.17 in [25]) or, equivalently, $\mathsf {IND\text {-}CPA}$ and unforgeability of ciphertexts [10]. A third equivalent formulation due to Shrimpton [28] defines $\mathsf {AE}$ in terms of a real vs ideal scenario. According to this definition, a classical scheme $\varPi = (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ is $\mathsf {AE}$ if no adversary, given oracles E and D, can distinguish these two scenarios:

$\mathsf {AE\text {-}Real}$: (E, D) is $(\mathsf {Enc} _k, \mathsf {Dec} _k)$ with $k \leftarrow \mathsf {KeyGen} $;
$\mathsf {AE\text {-}Ideal}$: E discards the input and returns $\mathsf {Enc} _k(m)$ for random m, and D always rejects; here again $k \leftarrow \mathsf {KeyGen} $;

This is not yet enough, because the adversary $\mathcal {A} $ can always distinguish real from ideal by composing E with D. To patch this problem, we can (i) demand that $\mathcal {A} $ cannot do that, as in [28], or (ii) add the condition $D \circ E = \mathbbm {1}$ to the ideal case^{Footnote 6}. We will take the latter approach.

Motivated by this formulation of $\mathsf {AE}$ and our general strategy so far, we will define quantum authenticated encryption by comparing the performance of the adversary in a real world and an ideal world. In the real world, the adversary gets unrestricted access to $\mathsf {Enc} _k$ and $\mathsf {Dec} _k$. In the ideal world, the challenger $\mathcal C$ stores the $\mathsf {Enc} _k$ queries, replacing them with halves of maximally-entangled states; when a $\mathsf {Dec} _k$ query is detected as corresponding to a particular earlier $\mathsf {Enc} _k$ query, $\mathcal C$ replies with the contents of the stored register; otherwise $\mathsf {Dec} _k$ rejects. Cheat detection is performed just as in the unforgeability game $\mathsf {QUF\text {-}Cheat}$.

Formal Definition. We now formally define the two worlds: the real world $\mathsf {QAE\text {-}Real}$, and the ideal (or cheat-detecting) world $\mathsf {QAE\text {-}Ideal}$. In both cases, the adversary $\mathcal A$ receives two oracles and then outputs a single bit.

Experiment 5

The $\mathsf {QAE\text {-}Real} (\varPi , \mathcal A, n)$ experiment:

In the ideal setting, it will be convenient to describe the experiment in terms of an interaction between $\mathcal {A} $ and the challenger $\mathcal C$, a fixed algorithm determined only by the security game and the properties of $\varPi $.

Experiment 6

The $\mathsf {QAE\text {-}Ideal} (\varPi , \mathcal A, n)$ experiment:

Note that, as before, we number the measurement outcomes by 0 (the first outcome) and 1 (the second outcome). With the above games defined, we can now set down our definition of quantum authenticated encryption.

Definition 10

A $\textsf {SKQES}$ $\varPi =(\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})$ is an authenticated quantum encryption scheme (or is $\mathsf {QAE}$) if, for all QPT adversaries $\mathcal {A} $:

$$\begin{aligned} \left| \Pr \left[ \mathsf {QAE\text {-}Real} (\varPi , \mathcal A, n) \rightarrow \mathsf {real} \right] - \Pr \left[ \mathsf {QAE\text {-}Ideal} (\varPi , \mathcal A, n) \rightarrow \mathsf {real} \right] \right| \le {\text {negl}} (n). \end{aligned}$$

Relationship to Other Security Notions. Next, we give evidence that $\mathsf {QAE}$ is indeed the correct formalization of a quantum analogue of $\mathsf {AE}$, by showing that it implies all of the quantum security notions defined thus far. We begin with adaptive chosen-ciphertext security.

Theorem 11

$\mathsf {QAE} \implies \mathsf {QIND\text {-}CCA2}$.

Proof

The proof is similar to that of Theorem 8. For a scheme $\varPi $, let $\mathcal {A}$ be an adversary against $\mathsf {QIND\text {-}CCA2}$, e.g., let us say that:

$$ \Pr \left[ \mathsf {QCCA2\text {-}Test} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {win} \right] = \Pr \left[ \mathsf {QCCA2\text {-}Fake} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {cheat} \right] + \nu (n)\, , $$

for non-negligible $\nu $. We then show how to build another adversary $\mathcal {B} $ with black-box access to $\mathcal {A}$, able to distinguish $\mathsf {QAE\text {-}Real}$ from $\mathsf {QAE\text {-}Ideal}$.

$\mathcal {B} $ runs $\mathcal {A}$, and forwards all of $\mathcal {A}$’s queries to his own oracles. When eventually $\mathcal {A}$ outputs a challenge plaintext state, $\mathcal {B}$ flips a random bit b. If $b=0$, then $\mathcal {B}$ forwards the challenge plaintext to his encryption oracle as usual. Otherwise, if $b=1$, $\mathcal {B}$ replaces the challenge with a totally mixed plaintext state before relaying it to the oracle. After that, $\mathcal {B}$ continues to answer $\mathcal {A}$’s queries during the second quantum CCA phase as before, by forwarding all the queries to his oracles, until $\mathcal {A}$ produces an output bit $b'$. Finally, if $b=b'$, then $\mathcal {B}$ outputs $\mathsf {real}$, otherwise he outputs $\mathsf {ideal}$.

Now notice the following: If we are in the $\mathsf {QAE\text {-}Real}$ environment (that is, $\mathcal {B}$ has unrestricted $\mathsf {Enc}$ and $\mathsf {Dec}$ oracles), then $\mathcal {B}$ is faithfully simulating for $\mathcal {A}$ the $\mathsf {QCCA2\text {-}Test}$ game, which means that the probability of $\mathcal {B}$ correctly outputting $\mathsf {real}$ is exactly the same probability of $\mathcal {A}$ of winning $\mathsf {QCCA2\text {-}Test}$.

If we are in the $\mathsf {QAE\text {-}Ideal}$ world, instead, $\mathcal {B}$ is playing in a “malformed” game, where all his encryption queries are replaced by random plaintexts before encryption. This means that the best $\mathcal {A}$ could do in order to guess the secret bit b is guessing at random, unless $\mathcal {A}$ uses a “cheating decryption query” on the challenge ciphertext (in this case the modified decryption oracle of the game $\mathsf {QAE\text {-}Ideal}$ would actually return the encrypted plaintext). Looking at the description of the $\mathsf {QCCA2\text {-}Fake}$ game, it is clear that this is exactly the same as $\Pr [\mathsf {QCCA2\text {-}Fake} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {cheat} ]$. So, summing up:

$$\begin{aligned}&\Big | \Pr \left[ \mathsf {QAE\text {-}Real} (\varPi ,\mathcal {B},n) \rightarrow \mathsf {Real} \right] - \Pr \left[ \mathsf {QAE\text {-}Ideal} (\varPi ,\mathcal {B},n) \rightarrow \mathsf {Real} \right] \Big | \\ =&\Big | \Pr \left[ \mathsf {QCCA2\text {-}Test} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {win} \right] - \Pr \left[ \mathsf {QCCA2\text {-}Fake} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {cheat} \right] \Big | =\nu \, , \end{aligned}$$

which concludes the proof. $\square $

In terms of authentication security, we can show that $\mathsf {QAE}$ implies $\mathsf {cQCA}$ (computational one-time ciphertext authentication), and hence also $\mathsf {cDNS}$.

Theorem 12

Let $\varPi =(\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ be a $\textsf {SKQES}$ that is $\mathsf {QAE}$ secure and satisfies Condition 1. Then it is $\mathsf {cQCA}$.

Proof

Assume $\varPi $ is not $\mathsf {cQCA}$. Then there exists an algorithm $\mathcal {A} =(\mathcal {A} _1,\mathcal {A} _2, \mathcal {A} _3)$ that achieves the following. $\mathcal {A} _1$ gets an input $1^n$ and outputs registers M (the plaintext register) and B. $\mathcal {A} _2$ implements a map $\varLambda _{CB\rightarrow C\tilde{B}}$ on two registers C (the ciphertext register) and B. $\mathcal {A} _3$ is a distinguisher between the two states resulting from applying $ \tilde{\varLambda }_{CB\rightarrow C\tilde{B}}$ or the corresponding simulator according to Eqs. (5) and (6) to the output of $\mathcal {A} _1$.

The crucial observation is, that the map on registers MB resulting from sending M to the challenger $\mathcal C'_{\mathsf {ideal}}$ as an encryption query in the ideal $\mathsf {QAE}$ game, applying $\varLambda _{CB\rightarrow C\tilde{B}}$ to the output and sending the resulting C-register to $\mathcal C'_{\mathsf {ideal}}$ as a decryption query, is exactly the simulator defined in Eqs. (5) and (6). Thus, the adversary that runs $\mathcal {A} _1$, queries the encryption oracle, runs $\mathcal {A} _2$, queries the decryption oracle and finally runs $\mathcal {A} _3$ is a successful $\mathsf {QAE}$ adversary. $\square $

In addition, $\mathsf {QAE}$ implies quantum unforgeability.

Theorem 13

$\mathsf {QAE} \implies \mathsf {QUF} $.

Proof

For a scheme $\varPi $, let $\mathcal {A}$ be an adversary against $\mathsf {QUF}$, e.g., let us say that:

$$ \Pr \left[ \mathsf {QUF\text {-}Forge} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {win} \right] = \Pr \left[ \mathsf {QUF\text {-}Cheat} (\varPi ,\mathcal {A},n) \rightarrow \mathsf {cheat} \right] + \nu \, , $$

where $\nu $ is non-negligible. We then build another adversary $\mathcal {B} $ with black-box access to $\mathcal {A}$, able to distinguish $\mathsf {QAE\text {-}Real}$ from $\mathsf {QAE\text {-}Ideal}$ with non-negligible advantage. $\mathcal {B} $ runs $\mathcal {A}$, and forwards all of $\mathcal {A}$’s queries to his own encryption oracle. When eventually $\mathcal {A}$ outputs a forgery, $\mathcal {B} $ sends it for decryption to his own decryption oracle. If the decryption succeeds (that is, the oracle does not return $\left| \bot \right\rangle \left\langle \bot \right| $), then $\mathcal {B} $ outputs $\mathsf {real}$, otherwise he outputs $\mathsf {ideal}$.

The idea is the following: suppose the decryption of the forgery state succeeds (i.e., it does not decrypt to $\left| \bot \right\rangle \left\langle \bot \right| $). This can happen in two cases:

1.
we are in the $\mathsf {QAE\text {-}Real}$ game, and $\mathcal {A}$ produced a valid forgery (i.e., he won the $\mathsf {QUF\text {-}Forge}$ game); or
2.
we are in the $\mathsf {QAE\text {-}Ideal}$ game, and $\mathcal {A}$ cheated by replaying an output of the encryption oracle (i.e., he won the $\mathsf {QUF\text {-}Cheat}$ game).

Recall that, by assumption, $\mathcal {A}$ produces a valid forgery with probability at least $\nu $ over cheating. Therefore the case 2. above happens with noticeable less probability than case 1., which is in fact the one $\mathcal {B}$ “bets” on. Analogously, suppose the decryption fails. This can happen in two cases:

1.
we are in the $\mathsf {QAE\text {-}Real}$ game, but $\mathcal {A}$ produced an invalid forgery (i.e., he lost the $\mathsf {QUF\text {-}Forge}$ game); or
2.
we are in the $\mathsf {QAE\text {-}Ideal}$ game, and $\mathcal {A}$ did not cheat (i.e., he lost $\mathsf {QUF\text {-}Cheat}$).

For the same reasoning as above, 2. is noticeably more likely than 1., which is in fact $\mathcal {B}$’s bet. More in detail, we have:

$$\begin{aligned}&\Big | \Pr \left[ \mathcal {B} (\mathsf {QAE\text {-}Real}) \rightarrow \mathsf {Real} \right] - \Pr \left[ \mathcal {B} (\mathsf {QAE\text {-}Ideal}) \rightarrow \mathsf {Real} \right] \Big | \\ =\,&\Big | \Pr \left[ \mathsf {QAE\text {-}Real} \right] \cdot \Pr \left[ \mathcal {A} (\mathsf {QUF\text {-}Forge}) \rightarrow \mathsf {win} \right] \\&-\, \Pr \left[ \mathsf {QAE\text {-}Ideal} \right] \cdot \Pr \left[ \mathcal {A} (\mathsf {QUF\text {-}Cheat}) \rightarrow \mathsf {cheat} \right] \Big | \\ =\,&\frac{1}{2}\Big | \Pr \left[ \mathcal {A} (\mathsf {QUF\text {-}Forge}) \rightarrow \mathsf {win} \right] - \big ( \Pr \left[ \mathcal {A} (\mathsf {QUF\text {-}Forge}) \rightarrow \mathsf {win} \right] - \nu \big ) \Big |=\frac{\nu }{2} \, , \end{aligned}$$

which is non-negligible. $\square $

Finally, we consider the classical restriction $\mathsf {AE} '$ of $\mathsf {QAE}$.

Proposition 3

$\mathsf {AE} ' \iff \mathsf {AE} $.

Proof

The security notion $\mathsf {AE}$’ is given in terms of two experiments which are like the $\mathsf {AE\text {-}Real}$ and $\mathsf {AE\text {-}Ideal}$ experiments in Shrimpton’s formulation of $\mathsf {AE}$ security, with the following difference:

1.
in the modified $\mathsf {AE\text {-}Real}$ experiment, the decryption oracle does not reject non-fresh ciphertexts, i.e. it is unrestricted; and
2.
in the modified $\mathsf {AE\text {-}Ideal}$ experiment, the decryption oracle does not always return $\bot $: in case it is queried on a non-fresh ciphertext, it decrypts correctly.

Since classically we can store and compare plaintexts and ciphertexts, it is easy to construct an efficient simulator able to switch between the experiments of $\mathsf {AE}$ and $\mathsf {AE}$$^\prime $, by inspecting $\mathcal {A}$’s decryption queries and reacting accordingly. Namely:

1.
to switch from $\mathsf {AE}$ to $\mathsf {AE}$$^\prime $, record $\mathcal {A}$’s plaintexts and ciphertexts during encryption queries, and reply with the right plaintext whenever $\mathcal {A}$ asks to decrypt a non-fresh ciphertext (otherwise, just send the query to the decryption oracle); and
2.
to switch from $\mathsf {AE}$$^\prime $ to $\mathsf {AE}$, record $\mathcal {A}$’s received ciphertexts during encryption queries, and reply with $\bot $ whenever $\mathcal {A}$ asks to decrypt a non-fresh ciphertext (otherwise, just send the query to the decryption oracle).

This concludes the proof, as it shows the two cases to be equivalent. $\square $

In particular, $\mathsf {AE} '$ is equivalent to $\mathsf {UF} $. We provide evidence that a quantum analogue of this statement does not hold in the next section.

7 Constructions and Separations

In this section we exhibit constructions of $\textsf {SKQES}$ that fulfill and separate the different security notions presented in the preceding sections. We begin by showing that augmenting a one-time scheme by a (perfectly) random function family using the construction in Definition 2 turns a $\mathsf {QCA}$ secure scheme into a $\mathsf {QAE}$ secure scheme. Then we will move on to show how to satisfy $\mathsf {QAE}$ with an efficiently implementable scheme. Recall that efficient $\mathsf {QCA}$-secure $\textsf {SKQES}$ can be constructed, e.g., from unitary two-designs like the Clifford group.

Theorem 14

Let $\varPi $ be a $\mathsf {QCA}$-secure $\textsf {SKQES}$, and let $f: \mathcal {K} \times \{0,1\}^n \rightarrow \{0,1\}^m$ be a random function family. Then the scheme $\varPi ^f$ in Definition 2 is $\mathsf {QAE}$ secure.

Proof

We let $\varPi =(\mathsf {KeyGen}, \mathsf {Enc},\mathsf {Dec})$ and $\varPi ^\mathcal F =(\mathsf {KeyGen} ', \mathsf {Enc} ',\mathsf {Dec} ')$ where

1.
$\mathsf {KeyGen} '(1^n)$ outputs a random function F from $\{0,1\}^n$ to $\{0,1\}^m$;
2.
$\mathsf {Enc} '_F(X_M)$ outputs $|s\rangle \langle s|_R\otimes \mathsf {Enc} _{F(s)}(X)_C$, where ;
3.
$\mathsf {Dec} '_F(Y_{RC})$ first measures the R register to get outcome $s'$; then it runs $\mathsf {Dec} _{F(s')}$ on register C and outputs the result.

Suppose $\mathcal {A} $ is a $\mathsf {QAE}$ adversary against $\varPi ^\mathcal F$, i.e., a QPT algorithm with oracle access to $\mathsf {Enc} '_k$ and $\mathsf {Dec} '_k$. Suppose $\mathcal {A} $ makes $\ell (n)$ queries to the oracle, where $\ell $ is some polynomial function of n. We assume that the randomnesses $s_i$ and the keys $F(s_i)$ used for the scheme $\varPi $ in the different encryption queries (for $i = 1, \ldots , \ell (n)$) are all distinct; this is true except with negligible probability.

Let us first analyze what happens in the $\mathsf {QAE\text {-}Real}$ experiment. Consider the i-th decryption oracle call. The decryption begins with a measurement of the R register, yielding some outcome s and thereby a key $\bar{k}=F(s)$. We can analyze the situation for each outcome s that occurs with non-negligible probability, separately. This is because if an adversary is successful, it is easy to see that there is also a modified successful adversary, that submits only decryption queries with a fixed string s in the randomness register.

Suppose first that $\bar{k}=F(s) \ne F(s_i)$ for all i. In this case, the $\varPi $-encrypted part of the forgery candidate gets decrypted with a key different from all the ones used for encryption. We analyze the attack map $\varLambda =\tilde{\mathcal {A}}(1^n)\mathrm {Tr}_C$ against the $\mathsf {QCA}$ scheme $\varPi $, where $\tilde{\mathcal {A}}$ is defined to first run $\mathcal {A} $ until the ith decryption query, while answering each encryption query by sampling a fresh key for the scheme $\varPi $. Note that $\varLambda $ does not use initial side information, therefore $\sigma ^{\mathsf {acc}}:=\varLambda ^{\mathsf {acc}}$ and $\sigma ^{\mathsf {rej}}:=\varLambda ^{\mathsf {rej}}$ are just positive semidefinite matrices whose trace sums to one.

According to Eq. (4) in the definition of $\mathsf {QCA}$, the trace of $\sigma ^{\mathsf {acc}}$ is the probability that the simulator applies the identity to the plaintext. The output of the attack map $\varLambda $ does not depend on it’s input, i.e. the same holds for the effective map $\varLambda ^\varPi $ and hence for $(\mathbbm {1}-|\bot \rangle \langle \bot |)\varLambda ^\varPi (\cdot )(\mathbbm {1}-|\bot \rangle \langle \bot |)$. Any such map is far from any non-negligible multiple of the identity channel so the trace of $\sigma ^{\mathsf {acc}}$ is negligible according to Eq. 3. We have hence shown that the decryption oracle returns $\bot $ with overwhelming probability, so we can take $\sigma ^{crej}=\mathrm {Tr}_C\tilde{\mathcal {A}}(1^n)$.

Let now $s'=r_j$, and write $\mathcal {A} =\mathcal {A} _1\mathsf {Enc} _{\hat{k}}\mathcal {A} _0$, splitting the adversary into two parts before and after the j-th encryption query. Let $(\tilde{\mathcal {A}}_1)_{CE_1\rightarrow CE_2}$ be defined analogous to $\tilde{\mathcal {A}}$. $E_1$ and $E_2$ are the internal memory registers of $\mathcal {A} $ at the time of the j-th encryption query and the i-th decryption query, respectively. $\varPi $ is $\mathsf {QCA}$ secure, implying that $\tilde{\mathcal {A}}_1^\varPi =\mathbb {E}_{\bar{k}}\left[ \mathsf {Dec} _k\circ \tilde{\mathcal {A}}_1\circ \mathsf {Enc} _{\bar{k}}\right] $ fulfills:

$$\begin{aligned} \Vert (\tilde{\mathcal {A}}^\varPi _1)_{ME_1\rightarrow ME_2}-\mathrm {id}_M\otimes (\tilde{\mathcal {A}}^{\mathsf {acc}}_1)_{E_1\rightarrow E_2}-\bot \otimes (\tilde{\mathcal {A}}^{\mathsf {rej}}_1)_{E_1\rightarrow E_2}\Vert _\diamond \le {\text {negl}} (n), \end{aligned}$$

(7)

where (using $P_{\text {inv}}=\mathbbm {1}-|\varPhi _{\bar{k},\bar{r}}\rangle \langle \varPhi _{\bar{k},\bar{r}}|$):

$$\begin{aligned} \tilde{\mathcal {A}}^{\mathsf {acc}}_1&= \mathbb {E}_{\bar{k},\bar{r}}\left[ \langle \varPhi _{\bar{k},\bar{r}} | V_{\bar{k}}^\dagger \tilde{\mathcal {A}}^{\mathsf {acc}}_1 \left( \mathsf {Enc} _{\bar{k};\bar{r}}\left( \phi ^+_{MM'} \right) \otimes (\cdot )_{E_1} \right) V_{\bar{k}}| \varPhi _{\bar{k}, \bar{r}} \rangle \right] \text { and}\nonumber \\ \tilde{\mathcal {A}}^{\mathsf {rej}}_1&= \mathbb {E}_{\bar{k},\bar{r}}\left[ \mathrm {Tr}_{MM'T}P_{\text {inv}} V_{\bar{k}}^\dagger \tilde{\mathcal {A}}^{\mathsf {acc}}_1 \left( \mathsf {Enc} _{\bar{k};\bar{r}}\left( \phi ^+_{MM'} \right) \otimes (\cdot )_{E_1} \right) V_{\bar{k}}\right] . \end{aligned}$$

(8)

The form of the simulator in the reject case follows by using that the maximally entangled state is a point in the optimization defining the diamond norm in (3) and using the monotonicity of the trace norm under partial trace.

We now show indistinguishability of the real and ideal experiments by induction over the decryption queries. Since $\mathsf {QCA}$ implies $\mathsf {IND}$, the two are indistinguishable before the first decryption query. Assume now that the two experiments cannot be distinguished using an algorithm that makes at most $i-1$ decryption queries. Consider $\mathcal {A}$ running in the ideal experiment until right before the $(i+1)$-th decryption query (or until the end, if $i=\ell $). We make the same case distinction as before. In the first case the measurement in line (3) in the ideal decryption oracle in Experiment 5 never returns 0, i.e. the output is always $\mathsf {reject}$. Therefore we can replace the i-th decryption oracle by the constant reject function, thereby reducing the number of decryption oracle calls of to $i-1$. By the induction hypothesis, the contents of the internal register are therefore indistinguishable whether in the $\mathsf {QAE\text {-}Real}$ or in the $\mathsf {QAE\text {-}Ideal}$ experiment.

Turning to the second case, we make a very similar argument. We have $s=s_j$, i.e. the only encryption query where the measurement from line (3) in the definition of the ideal decryption oracle in Experiment 5 can possibly return 0 is the j-th. Here it is left to observe that the rest of the ideal decryption oracle implements exactly the same map as in the ideal world, i.e. the ones from Eqs. (7) and (8). Replacing the j-th encryption and the i-th decryption oracle call by this map, and using the induction hypothesis, we get that $\mathcal {A}$ run until before the $i+1$-th decryption oracle call cannot distinguish $\mathsf {QAE\text {-}Real}$ from $\mathsf {QAE\text {-}Ideal}$. This ends the proof by induction. $\square $

We now show how to satisfy $\mathsf {QAE}$ efficiently, by means of a post-quantum-secure pseudorandom function.

Corollary 2

Let $\varPi $ be a $\mathsf {QCA}$-secure $\textsf {SKQES}$ that satisfies Condition 1, and let f be a $\mathsf {pqPRF}$. Then the scheme $\varPi ^f$ (from Definition 2) satisfies $\mathsf {QAE}$.

Proof

As a contradiction, suppose there exists a QPT algorithm $\mathcal {A} $ that distinguishes $\mathsf {QAE\text {-}Real}$ from $\mathsf {QAE\text {-}Ideal}$. We claim that this also holds if f is replaced with a completely random function family $\mathcal F$. If $\mathcal {A} $ cannot break the random scheme $\varPi ^{\mathcal F}$, then we can build a distinguisher for f versus $\mathcal F$, as follows. What we would like to do is the following. Given an oracle $\mathcal O$, we:

1.
choose a random bit ;
2.
if $b=0$, we simulate the $\mathsf {QAE\text {-}Real} (\varPi ^\mathcal O, \mathcal A, n)$ experiment using our oracle;
3.
if $b=1$, we simulate the $\mathsf {QAE\text {-}Ideal} (\varPi ^\mathcal O, \mathcal A, n)$ experiment using our oracle;
4.
output $b \oplus s$ where s is the output of $\mathcal {A}$.

This may at first not seem possible using the classical oracle we are provided with, as the ideal decryption oracle has to implement the unitary $V_k^\dagger $, which seems to require superposition access to the random/pseudorandom function. However, observe that steps 5–11 of Experiment 2 commute with a measurement of the randomness register R in the computational basis, and afterwards this register is discarded. Therefore the outcome of the experiment is not changed by first measuring the register R, which yields an outcome r. Then the modified challenger can use classical oracle access to the random/pseudorandom function to implement $V_k^\dagger $ on the measured input state.

Note that, if $\varPi ^\mathcal O$ is secure, then b and s are independent (up to negligible terms) and $b \oplus s$ is a fair coin. If $\varPi ^\mathcal O$ is insecure, then it deviates from uniform by the $\mathsf {QUF} $ distinguishing advantage of $\mathcal A$. This yields a distinguisher between the case $\mathcal O = f$ and $\mathcal O = \mathcal F$. The claim then follows from Theorem 14. $\square $

In particular, the scheme family $\mathsf {2desTag} ^\mathsf {pqPRF} $ is sufficient for $\mathsf {QAE}$. We remark that the proof uses the fact that, given classical oracle access to f, the scheme $\varPi ^f$ is efficiently implementable in the sense of Condition 1 – regardless of the nature of the family f. Of course, in the special case where f is a $\mathsf {pqPRF}$, then $\varPi ^f$ simply satisfies Condition 1 without any need for oracles.

As $\mathsf {QAE}$ implies both $\mathsf {QUF}$ and $\mathsf {QIND\text {-}CCA2}$ (see Theorems 11 and 13), we have the following corollary.

Corollary 3

Let $\varPi $ be a $\mathsf {QCA}$-secure $\textsf {SKQES}$ that satisfies Condition 1, and let f be a $\mathsf {pqPRF}$. Then the scheme $\varPi ^f$ (from Definition 2) satisfies $\mathsf {QUF}$ and $\mathsf {QIND\text {-}CCA2}$.

We can also show how to satisfy bounded-query unforgeability, i.e., $\mathsf {QUF} _t$. Recall that a t-wise independent function is a deterministic, efficiently computable keyed function family $\{f_k\}_k$ which appears random to any algorithm (of unbounded computational power) which gets classical oracle access to $f_k$ for uniformly random k, and can make at most t queries. One can apply the proof technique of Corollary 2 and Theorem 14 to obtain the following.

Corollary 4

Let $\varPi $ be a $\mathsf {QCA}$-secure $\textsf {SKQES}$, and let f be a t-wise independent function family. Then the scheme $\varPi ^f$ (as defined in Definition 2) satisfies $\mathsf {QUF} _t$.

Proof

(Sketch). If there exists a QPT $\mathcal A$ which can break $\mathsf {QUF} _t$ for $\varPi ^f$ using t-many queries, then it also breaks $\varPi ^\mathcal F$ where $\mathcal F$ is a random function. If not, we construct an oracle distinguisher for $\mathcal O = f$ versus $\mathcal O = \mathcal F$ which simulates $\mathcal A$ in one of the two games (each with probability $1 \slash 2$) and outputs a bit which is biased depending on $\mathcal O$. Note that we only need t queries to do this, since we only run one of the games (and not both). It then remains to invoke Theorem 14, and observe that Theorem 13 holds in the case of a bounded number of queries. $\square $

Separations. While $\mathsf {QAE}$ implies $\mathsf {QIND\text {-}CCA2}$ according to Theorem 11, the converse does not hold. In fact, consider any $\mathsf {QAE}$ secure scheme and modify the decryption function by replacing the reject symbol by a fixed plaintext, e.g. the all zero state. Such a scheme is certainly still $\mathsf {QIND\text {-}CCA2}$ secure, as any adversary against it can be used against the original scheme by simulating the modified one. The modified scheme is, however, manifestly not $\mathsf {QAE}$ as it never outputs $\bot $. The same reasoning works for $\mathsf {QUF}$ in place of $\mathsf {QAE}$.

Proposition 4

$\mathsf {QIND\text {-}CCA2}\not \Rightarrow \mathsf {QUF} $, and therefore $\mathsf {QIND\text {-}CCA2}\not \Rightarrow \mathsf {QAE} $.

Finally, we turn to the relationship of $\mathsf {QAE}$ and $\mathsf {QUF}$, and propose a separation as follows. Let $\varPi $ be a scheme that fulfills $\mathsf {cQCA}$ (Definition 6) for trivial register $\tilde{B}$, but can be broken using an efficient attack with nontrivial $\tilde{B}$. For any PRF f, $\varPi ^f$ is clearly $\mathsf {QUF}$, as the security notion ignores side information. It can however not be $\mathsf {QAE}$, as $\mathsf {QAE}$ implies $\mathsf {cQCA} $.

8 Discussion

In this work, we presented four new security notions for symmetric key quantum encryption: $\mathsf {QCA}$, $\mathsf {QUF}$, $\mathsf {QIND\text {-}CCA2}$ and $\mathsf {QAE}$. While we have already made significant progress on understanding these notions, a number of open questions remain. A few are as follows. Does an encryption scheme as discussed below Proposition 4 exist, proving $\mathsf {QUF} \not \Rightarrow \mathsf {QAE} $? If so, does $\mathsf {QUF}$ imply $\mathsf {QIND\text {-}CCA2}$ or $\mathsf {QIND\text {-}CCA1}$? Classically, unforgeability and $\mathsf {IND\text {-}CCA2}$ imply $\mathsf {AE}$; does this hold quantumly as well? Finally, is there a scheme that satisfies $\mathsf {QIND\text {-}CCA2}$ but cannot be upgraded to $\mathsf {QAE}$ by simply modifying the decryption function?

Notes

1.
A more general definition uses arbitrary key generation algorithms. We assume a uniform key in this paper for technical and notational convenience.
2.
If the dimension of the plaintext space does not divide the dimension of the ciphertext space, then we may need an isometry. In our case, all spaces are made up of qubits.
3.
In [15], this simulator was used to prove $\mathsf {DNS}$ security of the $\mathsf {2desTag}$ scheme. Here, we consider whether that simulator can be used to define secure authentication.
4.
One might also start from the authentication definitions of [21, 27] rather than $\mathsf {DNS}$. However, this is not necessary: these definitions’ advantage over $\mathsf {DNS}$ is in key recycling; our setting is non-interactive and has no back-channel for key recycling.
5.
The interface that the two games provide to the adversary differ slightly in that the adversary is not asked to output a bit in the end of the $\mathsf {QCCA2\text {-}Fake}$ game. This is not a problem as the games have the same interface until the second one terminates.
6.
More precisely, the ideal world maintains a list of all queries that $\mathcal {A} $ makes to E, and ensures that D will respond correctly if queried on an output of E.

References

Aaronson, S., Gottesman, D.: Improved simulation of stabilizer circuits. CoRR, quant-ph/0406196 (2004)
Google Scholar
Aharonov, D., Ben-Or, M., Eban, E.: Interactive proofs for quantum computations. In: Proceedings of the Innovations in Computer Science - ICS 2010, Tsinghua University, Beijing, China, 5–7 January 2010, pp. 453–469 (2010)
Google Scholar
Alagic, G., Broadbent, A., Fefferman, B., Gagliardoni, T., Schaffner, C., St. Jules, M.: Computational security of quantum encryption. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 47–71. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49175-2_3
Chapter Google Scholar
Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption. Cryptology ePrint Archive, Report 2017/960 (2017). https://eprint.iacr.org/2017/960
Alagic, G., Majenz, C.: Quantum non-malleability and authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 310–341. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_11
Chapter Google Scholar
Ambainis, A., Bouda, J., Winter, A.: Non-malleable encryption of quantum information. J. Math. Phys. 50(4), 042106 (2009)
Article MathSciNet MATH Google Scholar
Ambainis, A., Mosca, M., Tapp, A., de Wolf, R.: Private quantum channels. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, 12–14 November 2000, pp. 547–553 (2000)
Google Scholar
Barak, B.: Cs127 course notes, Chap. 6. http://www.boazbarak.org/cs127/chap06_CCA.pdf. Accessed 7 Sept 2017
Barnum, H., Crépeau, C., Gottesman, D., Smith, A.D., Tapp, A.: Authentication of quantum messages. In: Proceedings of the 43rd Symposium on Foundations of Computer Science (FOCS 2002), Vancouver, BC, Canada, 16–19 November 2002, pp. 449–458 (2002)
Google Scholar
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Chapter Google Scholar
Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35
Chapter Google Scholar
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Chapter Google Scholar
Brandão, F.G.S.L., Harrow, A.W., Horodecki, M.: Local random quantum circuits are approximate polynomial-designs. Commun. Math. Phys. 346(2), 397–434 (2016)
Article MathSciNet MATH Google Scholar
Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low T-gate complexity. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 609–629. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_30
Chapter Google Scholar
Broadbent, A., Wainewright, E.: Efficient simulation for quantum message authentication. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 72–91. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49175-2_4
Chapter Google Scholar
DiVincenzo, D.P., Leung, D.W., Terhal, B.M.: Quantum data hiding. IEEE Trans. Inf. Theory 48(3), 580–598 (2002)
Article MathSciNet MATH Google Scholar
Dulek, Y., Schaffner, C., Speelman, F.: Quantum homomorphic encryption for polynomial-sized circuits. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 3–32. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_1
Chapter Google Scholar
Dupuis, F., Nielsen, J.B., Salvail, L.: Secure two-party quantum evaluation of unitaries against specious adversaries. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 685–706. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_37
Chapter Google Scholar
Dupuis, F., Nielsen, J.B., Salvail, L.: Actively secure two-party evaluation of any quantum operation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 794–811. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_46
Chapter Google Scholar
Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security and indistinguishability in the quantum world. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 60–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_3
Chapter Google Scholar
Garg, S., Yuen, H., Zhandry, M.: New security notions and feasibility results for authentication of quantum data. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 342–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_12
Chapter Google Scholar
Gottesman, D.: The Heisenberg representation of quantum computers. arXiv quant-ph/9807006 (1998)
Google Scholar
Gottesman, D.: Uncloneable encryption. Quantum Inf. Comput. 3(6), 581–602 (2003)
MathSciNet MATH Google Scholar
Hayden, P., Leung, D.W., Mayers, D.W.: The universal composable security of quantum message authentication with key recyling. arXiv quant-ph/1610.09434 (2016)
Google Scholar
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)
MATH Google Scholar
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th edn. Cambridge University Press, New York (2011)
MATH Google Scholar
Portmann, C.: Quantum authentication with key recycling. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 339–368. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_12
Chapter Google Scholar
Shrimpton, T.: A characterization of authenticated-encryption as a form of chosen-ciphertext security. IACR Cryptology ePrint Archive 2004:272 (2004)
Google Scholar
Winter, A.J.: Coding theorem and strong converse for quantum channels. IEEE Trans. Inf. Theory 45(7), 2481–2485 (1999)
Article MathSciNet MATH Google Scholar

Download references

Acknowledgements

The authors would like to thank Anne Broadbent, Frédéric Dupuis, Yfke Dulek, Alex Russell, Christian Schaffner, and Fang Song for insightful discussions about the problems solved in this work. Part of this work was done while T.G. was supported by the TU Darmstadt. Part of this work was done while G.A. and C.M. were at QMATH, University of Copenhagen. Part of this work was sponsored by the COST CryptoAction IC1306. T.G. acknowledges financial support from the European Commissions PERCY grant (agreement 321310). G.A. and C.M. acknowledge financial support from the European Research Council (ERC Grant Agreement no 337603), the Danish Council for Independent Research (Sapere Aude) and VILLUM FONDEN via the QMATH Centre of Excellence (Grant No. 10059). This work is part of the research programme “Cryptography in the Quantum Age” with project number 639.022.519, which is financed by the Netherlands Organisation for Scientific Research (NWO).

Author information

Authors and Affiliations

Joint Center for Quantum Information and Computer Science, University of Maryland, College Park, MD, USA
Gorjan Alagic
National Institute of Standards and Technology, Gaithersburg, MD, USA
Gorjan Alagic
IBM Research, Zurich, Switzerland
Tommaso Gagliardoni
Institute for Logic, Language and Computation, University of Amsterdam, Amsterdam, Netherlands
Christian Majenz
Centrum for Wiskunde en Informatica, Amsterdam, Netherlands
Christian Majenz

Authors

Gorjan Alagic
View author publications
You can also search for this author in PubMed Google Scholar
Tommaso Gagliardoni
View author publications
You can also search for this author in PubMed Google Scholar
Christian Majenz
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gorjan Alagic .

Editor information

Editors and Affiliations

Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen
University of Leuven, Leuven, Belgium
Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Alagic, G., Gagliardoni, T., Majenz, C. (2018). Unforgeable Quantum Encryption. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018 . EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10822. Springer, Cham. https://doi.org/10.1007/978-3-319-78372-7_16

Download citation

DOI: https://doi.org/10.1007/978-3-319-78372-7_16
Published: 31 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78371-0
Online ISBN: 978-3-319-78372-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Unforgeable Quantum Encryption

Abstract

Similar content being viewed by others

On Quantum Ciphertext Indistinguishability, Recoverability, and OAEP

Composable and Finite Computational Security of Quantum Message Transmission

On Security Notions for Encryption in a Quantum World

Keywords

1 Introduction

1.1 Our Approach

1.2 Summary of Results

Theorem 1

Theorem 2

Theorem 3

Theorem 4

Theorem 5

Theorem 6

2 Preliminaries

Definition 1

Definition 2

Definition 3

Definition 4

Scheme 1

3 One-Time Ciphertext Authentication

Lemma 1

Corollary 1

Condition 1

Definition 5

Theorem 7

Definition 6

Proposition 1

4 Quantum Unforgeability

Experiment 1

Experiment 2

Definition 7

Theorem 8

Proof

Definition 8

Theorem 9

Proof

5 Quantum \(\mathsf {IND\text {-}CCA2}\)

Experiment 3

Experiment 4

Definition 9

Proposition 2

Proof

Theorem 10

Proof

6 Quantum Authenticated Encryption

Experiment 5

Experiment 6

Definition 10

Theorem 11

Proof

Theorem 12

Proof

Theorem 13

Proof

Proposition 3

Proof

7 Constructions and Separations

Theorem 14

Proof

Corollary 2

Proof

Corollary 3

Corollary 4

Proof

Proposition 4

8 Discussion

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper