A New Hard Problem for Post-Quantum Cryptography: Q-Problem Primitives

Abstract

This article investigates the Q-Problem, a novel theoretical framework for post-quantum cryptography. It aims to redefine cryptographic hardness by moving away from problems with unique solutions toward problems that admit multiple indistinguishable preimages. This shift is motivated by the structural vulnerabilities that quantum algorithms may exploit in traditional formulations. To support this paradigm, we define new cryptographic primitives and security notions, including Q-Indistinguishability, Long-Term Secrecy, and a spectrum of Q-Secrecy levels. The methodology formalizes the Q-Problem as a system of expressions, called Q-expressions, that must satisfy a set of indistinguishability and reduction properties. We also propose a taxonomy of its models, including Connected/Disconnected, Totally/Partly, Fully/Partially Probabilistic, Perfect, and Ideal Q-Problem variants. These models illustrate the versatility across a range of cryptographic settings. By abstracting hardness through indistinguishability rather than solvability, Q-Problem offers a new direction for designing cryptographic protocols resilient to future quantum attacks. This foundational framework provides the foundations for long-term, composable, and structure-aware security in the quantum era.

1. Introduction

Post-quantum cryptography seeks to develop cryptographic systems that remain secure against quantum adversaries. The advent of quantum algorithms, e.g., Shor’s algorithm for factoring and discrete logarithms and Grover’s algorithm for unstructured search [1,2], poses a significant threat to many classical cryptographic schemes [3]. In response, researchers proposed new schemes based on assumptions believed to be quantum-resistant, including lattice-based [4], code-based [5], multivariate polynomial [6], and hash-based cryptography [7].

However, a common trait shared by most post-quantum problems is that they ultimately aim to protect a unique hidden solution. This structural assumption, while seemingly harmless, may eventually be exploited by future quantum techniques. For example, in certain code-based settings, even if the decoding problem is computationally hard, the existence of a unique solution could facilitate distinguishability or targeted inversion under quantum models [5,8,9]. Thus, post-quantum security may be compromised not by current algorithms, but by structural weaknesses in the underlying problem formulations.

To address this, we propose a new theoretical direction: the Q-Problem (QP) paradigm. Rather than protecting a single solution, QP defines problems where multiple valid preimages exist for a given instance, and the true one is computationally indistinguishable from the others. The goal is to frustrate quantum search strategies not by sheer hardness, but by deliberately removing uniqueness. QP thus introduces a new class of cryptographic hardness assumptions that shift the adversary’s challenge from solving to selecting, disrupting the very structure quantum algorithms are designed to exploit.

The Q-Problem framework leads to a family of new primitives and security notions suited to long-term, post-quantum resilience. These include Q-Indistinguishability (Q-IND): a hardness notion based on indistinguishable preimage sets. LTS: a model for protecting information across decades. Q-Secrecy levels such as $Q_{x}nI$, quantifying degrees of entropy and indistinguishability.

Furthermore, QP enables a taxonomy of the types of theoretical problems (

Table 1. Notations table.

Notation	Description
QP	Q-Problem, the proposed cryptographic framework based on indistinguishable multi-solution hardness
LTS	Long-Term Secrecy, security model ensuring secrecy over extended time periods (Section 2)
Q-IND	Q-Indistinguishability, a security property requiring indistinguishable preimage sets (Section 2)
$Q_{xnI}$	Q-Secrecy level, a parameterized measure of indistinguishability and entropy (Section 2)
Qe	Q-Expression, a structural representation of hidden data in the QP model (Section 3)
CQP/DQP	Connected/Disconnected QP, classification of Qe(s) connectivity (Section 4)
TQP/PQP	Totally/Partly QP, classification instance(s) connectivity (Section 4)
FPQP/PPQP	Fully/Partially Probabilistic QP, classification instance connectivity (Section 4)
SQP	Deterministic QP, a QP variant with no probabilistic components (Section 4)
FQP	Perfect QP, a QP instance satisfying continuity of instance connectivity (Section 4)
IQP	Ideal QP, a theoretical limit where security is supposed to be maximal (Section 4)
MFOTP	Message-Fragmentation-based One-Time Pad, a proposed encryption scheme under QP (Section 4)
$\mathcal{P}$	The set of all valid preimages corresponding to a given Q-expression (Section 2)
$\mathcal{D}$	The set of all digital data structures (Appendix A.2)
⋆	A binary operation used in Qe, it represents a transformation or interaction between digital structures, $\mathcal{D}\times \mathcal{D}\to \mathcal{D}$. (Appendix A.3)
$nI\left(o\right)$	The number of indistinguishable preimages of output o (Section 2)
SBC	Successive Breakdown of Components (Section 4)

): connected/disconnected QP, fully/partially QP, fully/partially probabilistic QP, perfect QP, and ideal QP, allowing tailored cryptographic designs in various application scenarios [10].

In this work, we present the formal construction of the Q-Problem paradigm, exploring its theoretical foundation, key properties, and cryptographic potential. By redefining secrecy as a property of indistinguishability among many candidates, QP offers a new and complementary defense model for the quantum era, one that shifts focus from solving to surviving search. Illustrative examples of Q-expressions over various data types and operations are presented in Appendix A.4 to demonstrate the applicability of the QP framework across classical and modern digital domains.

2. Definitions

In this section, three new definitions are introduced.

2.1. Long-Term Secrecy (LTS)

We define LTS as the property whereby multiple indistinguishable solutions exist for the same system instance, such that only one corresponds to the intended (original) input. Crucially, no observer without prior knowledge can determine which preimage is correct.

Let $\mathcal{O}$ denote the output space, $\mathcal{I}$ the input space, and $f:\mathcal{I}\to \mathcal{O}$ be a function. For any output $o\in \mathcal{O}$, let $f^{-1}\left(o\right)\subseteq \mathcal{I}$ denote the set of preimages of o. Among these, we define $nI\left(o\right)$ as the number of indistinguishable preimages of o, i.e., those that are computationally or semantically indistinct from one another in the absence of additional information.

A system satisfies LTS if the indistinguishability of these preimages persists over time and the number of such indistinguishable preimages meets the criterion shown by (1).

$$\forall o\in \mathcal{O},nI\left(o\right)\ge 2,\mathrm{or}\mid f^{-}\left(o\right)\mid \ge 2I$$

(1)

If $nI\left(o\right)=1$ for every $o\in \mathcal{O}$, then f is injective, i.e., one-to-one. This means that distinct inputs always map to distinct outputs, and hence each output corresponds to a unique input. This injectivity implies the absence of ambiguity, which contradicts the notion of indistinguishability that LTS aims to guarantee. In such a case, either immediately or in the future, an adversary could potentially compute the inverse $f^{-1}\left(o\right)$ and retrieve the original input, thereby breaking the LTS of the system. Therefore, this condition serves as a security requirement; it specifies when a system can be said to satisfy LTS, rather than asserting that all systems inherently meet it.

2.2. Q-Indistinguishability Assumption (Q-IND)

Let $\mathcal{D}$ be the set of all digital data structures, and let ⋆ be a generic operation over $\mathcal{D}$ (Equation (2)).

$$f(x,y)=x\star y$$

(2)

Suppose an oracle samples $x,y\in \mathcal{D}$ uniformly at random and outputs $a=f(x,y)=x\star y$. Then the Q-IND assumption states:

Given an instance $a\in \mathcal{D}$ and the operation ⋆, it is computationally infeasible to identify the correct input pair $(x,y)$ from the set of all uniformly distributed valid pairs ${(x_i,y_i)}_{i=1,\dots n}$ satisfying $f(x_i,y_i)=a$, when the number of such solutions satisfies $|f^{-1}\left(a\right)|\ge 2I$.

This assumption does not assert that computing a valid preimage is hard, but rather that distinguishing the correct preimage among $\ge 2I$ uniformly distributed and computationally indistinguishable candidates is infeasible without auxiliary information.

To define the Q-IND experiment formally, let the set of all valid preimages that defined as shown in (3).

$${\mathcal{P}}_a=\{{(x_i,y_i)}_{i=1,..n}\in \mathcal{D}\times \mathcal{D}\mid f(x_i,y_i)=a\}$$

(3)

Assume that $|{\mathcal{P}}_a|\ge 2I$ for some indistinguishability parameter I. For a quantitative interpretation of I, it could be related to a concrete security level (security parameter $\lambda$), e.g., $I=2^{\lambda }$. The set of solutions ($x_i,y_i$) satisfying $x_i\star y_i=a$ can be viewed as a structured level set in $\mathcal{D}\times \mathcal{D}$, potentially exhibiting algebraic or geometric properties depending on ⋆.

Q-IND Game ${\mathrm{Q}\text{-}\mathrm{IND}}^{\mathcal{A}}\left(I\right)$ can be shown as follows:

1.

The challenger samples $x,y\stackrel{\$}{\leftarrow }\mathcal{D}$ and computes $a=f(x,y)$.

2.

The challenger computes the preimage set ${\mathcal{P}}_a$.

3.

The index $j^{*}\in \{1,\dots ,|{\mathcal{P}}_a\left|\right\}$ is set such that ${\mathcal{P}}_a\left[j^{*}\right]=(x,y)$.

4.

The challenger sends $(a,{\mathcal{P}}_a)$ to the adversary ${\mathcal{A}}_2$.

5.

The adversary outputs an index $j^{\prime }\in \{1,\dots ,|{\mathcal{P}}_a\left|\right\}$.

6.

The adversary wins if $j^{\prime }=j^{*}$.

Q-IND advantage is illustrated by (4).

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Q}-\mathrm{IND}}\left(I\right):=\left|Pr[j^{\prime }=j^{*}|{\mathcal{A}}_2(a,{\mathcal{P}}_a)]-{\displaystyle \frac{1}{2I}}\right|$$

(4)

The notation $Pr[j^{\prime }=j^{*}\mid {\mathcal{A}}_2(a,{\mathcal{P}}_a)]$ represents the probability that the adversary outputs the correct index $j^{\prime }=j^{*}$, conditioned on having access to the values a and ${\mathcal{P}}_a$. This probability is taken over all internal randomness of both the adversary and the challenger, and the conditioning reflects the fact that the adversary’s output depends on its input view.

The index $j^{*}$ corresponds to the location of the true preimage $(x,y)$ within the preimage set ${\mathcal{P}}_a$. Since ${\mathcal{P}}_a=\{(x_1,y_1),\dots ,(x_n,y_n)\}$ contains all valid input pairs such that $f(x_i,y_i)=a$. Hence, the number of possible values that $j^{*}$ can take is exactly $|{\mathcal{P}}_a|$. An adversary making a uniform random guess has a success probability of $1/|{\mathcal{P}}_a|$. This forms the basis of the Q-IND advantage definition, which captures how much better the adversary ${\mathcal{A}}_2$ performs compared to random guessing.

Q-IND assumption is defined by (5). We say that f satisfies Q-IND assumption if, for all probabilistic polynomial adversaries $\mathcal{A}=({\mathcal{A}}_1,{\mathcal{A}}_2)$, there exists a negligible function $\epsilon \left(I\right)$ such that:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Q}-\mathrm{IND}}\left(I\right)\le \epsilon \left(I\right)$$

(5)

Thus, no quantum PPT adversary can do better than a negligible advantage over random guessing.

The Q-IND assumption provides a foundation for cryptographic schemes that rely on semantic ambiguity in inversion. It supports primitives where: (a) Multiple valid preimages exist for the same output. (b) Only one preimage is correct in context (e.g., authentication or identity binding). (c) An adversary cannot identify the correct preimage without additional distinguishing information. This aligns with the QP challenge and supports LTS under controlled ambiguity.

The concept of Q-Indistinguishability (Q-IND) is closely related to classical security notions such as Indistinguishability Under Chosen-Plaintext Attack (IND-CPA) and Chosen-Ciphertext Attack (IND-CCA). While IND-CPA and IND-CCA define adversarial games where the goal is to distinguish between encryptions of two chosen plaintexts, Q-IND focuses on the adversary’s inability to identify the correct preimage among many indistinguishable valid candidates that map to the same output. In a classical setting, Q-IND introduces a stronger ambiguity by eliminating the notion of a unique solution, whereas IND-CPA and CCA still assume a single encryption of a specific message. In the quantum setting, Q-IND becomes even more significant, as it assumes hardness holds even when the adversary can query the function (or oracle) in superposition. This contrasts with quantum versions of IND-CPA/CCA, where encryption or decryption oracles are adapted to handle quantum queries. Therefore, Q-IND generalizes the notion of semantic security by enforcing indistinguishability over solution spaces rather than encrypted message pairs, offering a deeper level of resistance in both classical and quantum adversarial models.

2.3. Q-Secrecy Level $Q_{x}nI$

Let $x\in \{1,2\}$ be the hardness level to find the preimages. The first level is $Q_{1}nI$, it can be expressed as Easy to Find, Impossible to Distinguish (EFID). For example, $x+ymodp=a$ is easy to resolve, i.e., to find the possible preimages, but without any additional information about $x,y$, it is impossible to guess the correct pair.

The second level is $Q_{2}nI$; it can be expressed as Hard to Find, Impossible to Distinguish (HFID). For example, $x^y+y^{x}modp=a$ is not easy to resolve with large $x,y,p$ ($O\left(p^2\right)$ with brute-force strategy). It is considered computationally hard, like a variant of the Diophantine problem modulo p.

The other factor of Q-Secrecy that can be integrated with $Q_x$ is the number of solutions $nI$ (# preimages), which can be referred to as the degree $n\ge 2$ (Equation (6)).

$$n=min\left(min\right|\mathcal{P}\left[f_i\right]|,|\mathcal{P}\left[S\right]\left|\right)$$

(6)

where $\left|\mathcal{P}\right[f_i\left]\right|$ denotes the number of solutions of a single equation i, and $\left|\mathcal{P}\right[S\left]\right|$ is the number of solutions of the entire system. Thus, the first example $x+y$ belongs to $Q_{1}pI$ and the second $x^y+y^x$ belongs to $Q_{2}pI$.

Supposing that $j>i$, of hardness level is as follows: $Q_{1}iI$, ($Q_{1}jI$, $Q_{2}iI$), then $Q_{2}jI$. The level between $Q_{1}jI$ and $Q_{2}iI$ depends on the scenario.

The hash function could be another example of HFID if the input length is large and unknown to the adversary, which will give him a large set of preimages, of course, in a context where he cannot determine which is the correct one. This example remains valid unless an efficient algorithm exists to calculate the hash preimages other than brute force, which is infeasible for large input sizes. Otherwise, it is EFID.

3. QP: Formal Presentation

QP is defined as follows:

$$\mathrm{QP}\iff \left\{\begin{array}{l}\mathrm{Let} QE:\{Q{e}_1,Q{e}_2,\dots ,Q{e}_n\}\mathrm{be}\mathrm{the}\mathrm{system}\hfill \\ 1▹Q{e}_i:\{x_i\star y_i; \mathrm{and}/\mathrm{or} z_i\}\mathrm{is}\mathrm{a}\mathrm{Q}\text{-}\mathrm{expression}\mathrm{where}\text{:}\\ \hspace{1em}{x}_i,y_i,z_i\in \mathcal{D}, \mathrm{and} \mathcal{D} \mathrm{is} \mathrm{the} \mathrm{set} \mathrm{of} \mathrm{all} \mathrm{digital} \mathrm{data} \mathrm{structures} (\mathrm{digital} \mathrm{objects});\\ \hspace{1em}\star \mathrm{is} a \mathrm{generic} \mathrm{operation} \mathrm{over} \mathcal{D};\\ \hspace{1em}{x}_i \mathrm{and} y_i \mathrm{may} \mathrm{be} \mathrm{atomic} \mathrm{or} \mathrm{composed}, z_i: \mathrm{atomic} \mathrm{object}\\ 2▹Q{e}_1{\theta }_{1}Q{e}_2\dots {\theta }_{n-1}Q{e}_n=\perp \\ : \mathrm{combining} \mathrm{Q}\text{-}\mathrm{expressions} \mathrm{gives} \mathrm{no} \mathrm{information} \mathrm{about} x_i \mathrm{and} y_i\\ 3▹\mathrm{Given} \mathrm{public} \mathrm{parameter}\left(s\right) p, \forall Q{e}_i,(x_i,y_i)\theta p=\perp \\ 4▹\mathrm{Given} p, \mathrm{and} \mathrm{instance} a_i=x_i\star y_i, \forall Q{e}_i, |{\mathcal{P}}_{a_i}\left[Q{e}_i\right]|\ge 2I\\ 5▹\mathrm{Given} \mathrm{QE}, |{\mathcal{P}}_{a_1,a_2,\dots a_n}\left[QE\right]|\ge 2I\\ 6▹\mathrm{Let} F_{\theta }:{QE}_n\stackrel{\mathit{reducedto}}{\to }{\mathit{QE}}_{n^{\prime }}^{\prime },{\mathit{QE}}_{n^{\prime }}^{\prime }|={\mathrm{QP}}_{1–6}\\ 5▹\mathrm{Only} \mathrm{hidden} \mathrm{objects} \mathrm{are} \mathrm{considered}, \mathrm{i}.\mathrm{e}., \mathrm{coefficients}/\mathrm{constants} \mathrm{are} \mathrm{ignored}.\end{array}\right.$$

$QE$ denotes the overall system or protocol instance, e.g., $Alice\stackrel{Q{e}_1}{\to }Bob$, and $Bob\stackrel{Q{e}_2}{\to }Alice$, so $QE:\{Q{e}_1,Q{e}_2\}$ must satisfy QP conditions, namely Points (1) through (6) as defined in the QP framework.

A $QE$ is an abstract expression over digital structures with arbitrary operations, whose goal is to encode its operands using one or more forms of data hiding under formal indistinguishability constraints, which includes a wide spectrum of computational and information-theoretic methods; Qe could be an atomic digital object or composed with any meaningful operations between digital structures. Operands x and y may be an atomic digital object or a composed expression built from subcomponents via one or more operations, e.g., $x=x_1\star x_2$, $x_1=x_{11}\star x_{12}$, and so on.

In Point 2, ⊥ states that the values of $x_i$ and $y_i$ remain hidden even with combining Q-expressions.

In Point 3, ⊥ states that neither x nor y has any relation with the public parameter p that would reveal hidden values, and that the adversary cannot infer any confidential information about the secret $x,y$ from $f(x,y,p)$.

$|{\mathcal{P}}_a\left[Qe\right]|\ge 2I$ means that $\#Sols(a=x\star y)\ge 2I$, it can be presented as: $\left|\mathcal{P}\right[Q{e}^a\left]\right|\ge 2I$.

$|{\mathcal{P}}_{a_1,a_2,\dots a_n}\left[QE\right]|\ge 2I$ means that $\#Sol{s}_{QE}(a_1=Q{e}_1,a_2=Q{e}_2,\dots a_n=Q{e}_n)\ge 2I$ where $a_i$: are instances. This states that combining Q-expressions gives more than two indistinguishable solutions.

Point 6 in QP definition meant that the new system $Q{E}^{\prime }$ derived (reduced) from combining $Q{e}_i$ of the initial $QE$ using operations $\theta$ must be, in turn, a QP, and so on (Equation (7)).

$$\{Q{e}_1{\theta }_{1}Q{e}_2{\theta }_2\dots Q{e}_n\}\to \{Q{e}_1^{\prime },Q{e}_2^{\prime },\dots ,Q{e}_{n^{\prime }}^{\prime }\}$$

(7)

For instance, we put $QE:\{Q{e}_1^a:a=x+2y+1,Q{e}_2^b:b=x-z^2\}$, $Q{E}^{\prime }:\{Q{e}_1^{\prime c}:c=2y-z^2+1\}$ is QP; but $QE:\{Q{e}_1^a:a=y^x,Q{e}_2^b:b=z^x,Q{e}_3^c:c=yz\}$, $Q{E}^{\prime }:\{Q{e}_1^{\prime }:c,Q{e}_2^{\prime }:c^x\}$ it is not QP because the secret variable x can be retrieved using a quantum computer.

To evaluate a $Qe$, only hidden objects are considered, i.e., coefficients/constants are ignored. For example, $2x,x+1,x^2,5hash\left(x\right),4\left|\right|x$ are elementary (atomic).

In practice, there are some conditions that must be applied to ensure the safety of Q-IND. Operation ⋆ must be free of trapdoor patterns, e.g., for multiplication $x·y=a$, the adversary could try all divisors of a; if any structure leaks, the assumption might fail. Side channel attacks must be taken into account; if an adversary can learn partial bits of the inputs, e.g., via timing, Q-IND can be broken. There should not be a correlation with the external state, i.e., inputs must appear random even if the adversary knows message/ciphertext mappings.

4. QP: Models, Quantitative View, and Use Cases

We define five models of QP.

4.1. Connected and Disconnected QP (CQP, DQP)

CQP, DQP are illustrated in (8)

$$\left\{\begin{array}{c}\mathrm{CQP}:\forall i,jQ{e}_i\cap Q{e}_j\ne \varnothing \hfill \\ \mathrm{DQP}:\forall i,jQ{e}_i\cap Q{e}_j=\varnothing \hfill \end{array}\right.$$

(8)

In CQP, there exists at least one common elementary secret object shared between two or more $Qe$ in $QE$. Consider these examples:

$$\left\{\begin{array}{c}\mathrm{CQP}:Q{e}_1:x+ymodp=a,Q{e}_2:x+zmodp=b,\mathrm{so}Q{e}_1\cap Q{e}_2=\left\{x\right\}\hfill \\ \mathrm{DQP}:Q{e}_1:x+ymodp=a,Q{e}_2:z+vmodp=b,\mathrm{so}Q{e}_1\cap Q{e}_2=\varnothing \hfill \end{array}\right.$$

Note that the parameter p is not considered a common object. Therefore, if $Q{e}_i\cap Q{e}_j=\left\{\alpha \right\}$ where $\alpha$ is public and does not contain a secret object, that does not affect the system being DQP.

4.2. Totally and Partly QP (TQP, PQP)

If CQP/DQP is about two different $Qe$ (vertical change $Q{e}_1$ and $Q{e}_2$), TQP/PQP is about the same $Qe$ (horizontal change $Q{e}_1^1$ and $Q{e}_1^2$), but two different inputs. Suppose that their corresponding outputs are $a_1=x_1\star y_1,a_2=x_2\star y_2$ (Equation (9)).

$$\left\{\begin{array}{c}\mathrm{TQP}:\forall i\mathrm{for}Q{e}_i^{1,2},x_1\ne x_2\mathrm{and}{y}_1\ne y_2\hfill \\ \mathrm{PQP}:\mathrm{otherwise}\hfill \end{array}\right.$$

(9)

Consider this example: k is the secret key for encryption, m is the plaintext. Suppose that the input is $(k,m)$.

$$\left\{\begin{array}{c}Q{e}_1^1:c_1=k{m}_1,Q{e}_2^1:h_1=hash\left(m_1\right)\hfill \\ Q{e}_1^2:c_2=k{m}_2,Q{e}_2^2:h_2=hash\left(m_2\right)\hfill \end{array}\right.$$

In $Q{e}_1$, note that m (represents y) has changed but k (represents x) does not, i.e., $x_1=x_2$. Therefore, this $QE$ is PQP and not TQP.

4.3. Fully and Partially Probabilistic QP (FPQP, PPQP)

If TQP/PQP is a horizontal change for two different inputs, FPQP/PPQP is a horizontal change for the same input. Suppose that the corresponding outputs are $a=x\star y,a^{\prime }=x^{\prime }\star y^{\prime }$ (Equation (10)).

$$\left\{\begin{array}{c}\mathrm{FPQP}:\forall i\mathrm{for}Q{e}_i^{a,a^{\prime }},x\ne x^{\prime }\mathrm{and}y\ne y^{\prime }\hfill \\ \mathrm{PPQP}:\mathrm{otherwise}\hfill \end{array}\right.$$

(10)

Consider this example: k is the secret key for encryption, m is the plaintext, and r is a fresh random number. Suppose that the input is $(k,m)$.

$$\left\{\begin{array}{c}\mathrm{PPQP}:Q{e}_1^c:c=km+r_1,Q{e_1^{\prime }}^{c^{\prime }}:c^{\prime }=km+r_2\hfill \\ \mathrm{FPQP}:Q{e}_1^c:c=m+r_1{k}_1+r_2{k}_2,\hfill \\ Q{e_1^{\prime }}^{c^{\prime }}:c^{\prime }=m+r_3{k}_1+r_4{k}_2\hfill \end{array}\right.$$

Note that in PPQP, where $x=km$ and $y=r$, y has changed but x has not in the two instances $Q{e}_1$ and $Q{e}_1^{\prime }$ for the same input m. In contrast, in FPQP where $x=(m+r_1{k}_1)$, $y=r_2{k}_2$, both x and y have changed ($x^{\prime }=(m+r_3{k}_1)$, $y^{\prime }=r_4{k}_2$). This scheme is similar to Gentry’s scheme, $c=m+r2+qp$, where $r,q$ are random.

In deterministic QP (SQP), $a=a^{\prime }$, the same output for the same input. For operations that are not repetitive, such as generating a public key, it is sufficient for x and y to be unknown.

We emphasize that if a system satisfies $FPQP$ or $PPQP$, then it necessarily satisfies $TQP$ or $PQP$, respectively.

4.4. Perfect QP (FQP)

An FQP is a fully probabilistic QP (FPQP) such that, under Successive Breakdown of Components (SBC), each resulting part remains an FPQP, down to the final, indivisible $Qe$ (elementary, atomic, or non-decomposable $Qe$).

$$\mathrm{FQP}:SBC\left(FPQP\right)\to FPQP$$

(11)

Let $Q_e$ be a QP expression defined as $Q_e:=x_1\star x_2\star \dots \star x_n$ where each $x_i\in \mathcal{D}$. As shown in (11), SBC is a recursive process that transforms $Q_e$ into a sequence of finer-grained expressions by recursively applying structural expansions to one or more components $x_i$ based on their internal structure, subject to the following:

1. Initial Step: Let $Q_e^{\left(0\right)}=Q_e$.

2. Recursive Step: For each $k\ge 0$, the k-th breakdown produces a new expression $Q_e^{(k+1)}$ by replacing at least one component $x_i^{\left(k\right)}\in Q_e^{\left(k\right)}$ with a more granular expression: $x_i^{\left(k\right)}\to x_{i1}^{(k+1)}\star x_{i2}^{(k+1)}\star \dots \star x_{im}^{(k+1)}$ where each $x_{ij}^{(k+1)}\in \mathcal{D}$.

3. Termination Condition: The process continues until all components are elementary (atomic), meaning they are no longer decomposable within the domain $\mathcal{D}$.

We denote the final expression by $Q_e^{(\ell )}$, where ℓ is the number of breakdown steps required to reach a fully resolved form $Q_e^{(\ell )}:x_1^{(\ell )}\star x_2^{(\ell )}\star \dots \star x_m^{(\ell )}$ (elementary form).

In the context of Perfect QP (FQP), each intermediate expression $Q_e^{\left(k\right)}$ must remain a valid FPQP throughout the SBC process.

Consider the precedent example of $FPQP:Q{e}^c:c=m+r_1{k}_1+r_2{k}_2$. If we put $x=(m+r_1{k}_1)$, $y=r_2{k}_2$, the first SBC on x gives $x_1=m$, $x_2=rk$, which is only PPQP. Therefore, this $QE$ is not FQP.

Again, consider the precedent example of $PPQP:Q{e}^c:c=km+r$, so $x=km$ and $y=r$. Suppose now that the same plaintext m and the encryption secret key k have intervals. When calculating c, variables m and k are selected at random from their intervals. The original plaintext can be retrieved as: $m=c÷k^{*}$ where ÷ denotes the integer division, $k^{*}$ is a constant secret key, and r is a random number less than $k^{*}$. An illustrative numerical example could be: $m_1\in [1,4],m_2\in [5,8]$, etc., $k\in [1010,1020]$, $k^{*}=1000$. Then, $c_1=3\times 1012+22=3056$, $c_1^{\prime }=4\times 1015+107=4167$, and $m=3056÷1000=3$, $m^{\prime }=4167÷1000=4$. Subexpression y is atomic, the SBC on x is $x_1=m,x_2=k$. Note that $x_1\ne x_1^{\prime }$ and $x_2\ne x_2^{\prime }$ for the same plaintext. On the other hand, each elementary Q-expression is changed for two instances of the same input. Accordingly, this scheme is $FQP$.

4.5. Ideal QP (IQP)

IQP is $DFQP$, which means a Disconnect and a Perfect QP. An example of IQP is introduced: a Message-Fragmentation-based OTP encryption scheme (MFOTP). In this scheme, $c_m=(c_1,c_2)=(m_1\oplus k_1,m_2\oplus k_2)$ where $m_1$ and $m_2$ are two random fragments of m, $k_1\ne k_2$ even if the same plaintext m is encrypted again.

Why is the suggested MFOTP an IQP?

Let $QE$ be a system, $QE:\{Q{e}_1,Q{e}_2\}$, $Q{e}_1^{c_1}:c_1=m_1\oplus k_1,Q{e}_2^{c_2}:c_2=m_2\oplus k_2$, this is presented as $x\oplus y$. Both x and y are hidden, $\mid {\mathcal{P}}_c\mid \ge 2I$ is satisfied due to the existence of many indistinguishable ($m,k$) where $m\oplus k=c$. Thus, $QE$ is QP.

Elements x and y are atomic, and $(m_1\oplus k_1)\cap (m_2\oplus k_2)=\varnothing$, so $QE$ is DQP. For two inputs $m_1,m_2$: $m_1:Q{e}_{11}^{c_{11}}:c_{11}=m_{11}\oplus k_{11},Q{e}_{12}^{c_{12}}:c_{12}=m_{12}\oplus k_{12}$; and $m_2:Q{e}_{21}^{c_{21}}:c_{21}=m_{21}\oplus k_{21},Q{e}_{22}^{c_{22}}:c_{22}=m_{22}\oplus k_{22}$.

Noting that $\forall iforQ{e}_i,x_{m_1}\ne x_{m_2}$ and $y_{m_1}\ne y_{m_2}$, so $QE$ is TQP. In addition, for a new m, a new fragmentation will be used, i.e., $m_{ij}\ne m_{ij}^{\prime }$, and new keys are used ($k_{ij}\ne k_{ij}^{\prime }$). Every object in $QE$ is changed even with the same input; therefore, this scheme is FPQP. Now, MFOTP is DQP and FPQP, which means that MFOTP is an IQP.

4.6. OTP and Q-Problem

It is known that in OTP, a one-time encryption key is used. For example, if $Enc\left(m\right):c=m\oplus k_1$ and $c^{\prime }=m\oplus k_2$ for the same input m, we find that $x=x^{\prime }=m$. Therefore, the basic version of OTP is not fully probabilistic but a partially probabilistic QP.

To convert it from PPQP to FPQP, random fragmentation of the message m into two parts can be used. Thus, the first encryption of m is $c=(m_1\oplus k_1,m_2\oplus k_2)$, the second encryption of m is $c=(m_1^{\prime }\oplus k_1^{\prime },m_2^{\prime }\oplus k_2^{\prime })$. That gives $x=m_1\ne x^{\prime }=m_1^{\prime }$ and $y=k_1^{\prime }\ne y^{\prime }=k_1^{\prime }$, the same thing for the second part of m i.e., $x=m_2\ne x^{\prime }=m_2^{\prime }$ and $y=k_2\ne y^{\prime }=k_2^{\prime }$. Therefore, using two keys for each message instead of one is needed. Since it is easy to obtain valid solutions ($m,k$) in $c=m\oplus k$ for a given c, basic OTP and MFOTP are $Q_{1}nI$. Figure 1 summarizes the presented Q-Problem models.

4.7. Quantitative View of QP Models

Although the QP taxonomy is defined structurally, each class can be approximated quantitatively in terms of the number of indistinguishable preimages ($|{\mathcal{P}}_a\left[Qe\right]|$) and the associated adversarial advantage. For example, in an Ideal QP (IQP), each output is derived from a disconnected and perfectly decomposable expression, producing a large set of indistinguishable preimages and minimizing the adversary’s ability to recover the true origin. In contrast, classes such as PPQP or PQP may provide only partial variation or structural overlap.

Table 2. Qualitative and quantitative comparison of QP model classes.

QP Class	Distinction Type	$|{\mathcal{P}}_{\mathit{a}}\left[\mathit{Q}\mathit{e}\right]|$	SBC
IQP	Disconnected + Perfect	$2^{x_1}$	Fully
FQP	Fully Decomposable FPQP	$2^{x_2}$	Fully
FPQP	Probabilistic over same input	$2^{x_3}$	Partially
PPQP	Partial randomness (same input)	$2^{x_4}$	Varies
TQP	Different inputs, all parts vary	$2^{x_5}$	N/A
PQP	Different inputs, partial overlap	$2^{x_6}$	N/A
DQP	$Q{e}_i$ are disjoint	$2^{y_1}$	N/A
CQP	$Q{e}_i$ share at least one term	$2^{y_2}$	N/A

summarizes the distinctions across QP levels, allowing practitioners to select appropriate configurations based on entropy goals and attack models.

Table 2 shows a qualitative and quantitative comparison of QP model classes, where $x_1>x_2>x_3>x_4>x_5>x_6$ and $y_1>y_2$ are entropy estimates for indistinguishable sets, and Adv. success $\le 1/2^{x_i}$ (respectively, $\le 1/2^{y_i}$). We can not compare CQP/DQP with other classes because CQP/DQP is inter-Qe and the others are intra-Qe, except IQP, which relies on two dimensions.

4.8. QP Use Cases

This point explains how the belonging of schemes to QP is analyzed.

Let us take RSA, $c=m^{e}modn$ where e is the public key. Since values c and e are given, and the only hidden variable is m, RSA’s expression is in the form of $x^y$ where y is known, so $x^y=a$ has only one solution. Therefore, point 4 in the formal definition is not satisfied, and RSA is not QP. Furthermore, e depends on n where $e\times d\equiv 1mod\varphi \left(n\right)$.

Let us take ElGamal, $c=(m\times h^r,g^r)$ where $h=g^k$ is the public key and k is the secret key. The first part $m\times h^r$ belongs to QP, $x=m$ (unknown) and $y=h^r$ (unknown because r is hidden). Since g is public, the expression of the second part $g^r$ is in the form of $x^y$ where x is known, so ElGamal does not belong to QP.

Let us take Gentry’s FHE scheme (DGHV) that is written as $c=m+2r+qp$ where r and q are random for each encryption and p is a secret key. It can be considered that this scheme is QP, if we put $x=m+2r$ and $y=qp$, then $c=x+y$, this form verifies all conditions of QP. Since it has only one $Qe$, it is DQP; for two different inputs, $x,y$ will be changed, which makes it TQP; for two different instances of the same input, $x,y$ will be changed, so it is FPQP; we note that not each elementary variable, e.g., m, will be changed for two instances of the same input, so it is not FQP; consequently, the scheme is not IQP. Given c, the possible solutions in $c=m+2r+qp$ are easy to find, so Gentry’s scheme is $Q_{1}nI$.

As for Kyber-NIST, Key Encapsulation Mechanism, the public key is $(A,t)$ where $t=As+e$, ($s,e$) is the secret key. The encapsulation function computes $(u,v)=(Ar+e_1,tr+e_2)$ where $r,e_1,r_2$ are random. The system $QE:Q{e}_1:As+e,Q{e}_2:Ar+e_1,Q{e}_3:tr+e_2$ satisfies QP definition, for example, $s,e$ are hidden in $Q{e}_1$, $r,e_1$ are hidden in $Q{e}_2$, $r,e_2$ are hidden in $Q{e}_3$. We note that $Q{e}_1\cap Q{e}_3=\left\{e\right\}$, and $Q{e}_2\cap Q{e}_3=\left\{r\right\}$, so it is not DQP but CQP. To check TQP/PQP (respectively, FPQP/PPQP, FQP), $Q{e}_1$ is not considered because it concerns the generation of the public key, and it is computed once. If we put $x=Ar,y=e_1$ (respectively, $tr,e_2$), terms $x,y$ will be changed for two different inputs, so it is TQP, also for two different instances of the same inputs (new encryption of the same plaintext), so it is FPQP. Kyber is not FQP because not every elementary variable will be changed. After SBC, $x_1=x_1^{\prime }=A$ (or t), for two instances, does not change. Consequently, Kyber is not IQP. Given t in $t=As+e$ and $(u,v)$ in $(u=Ar+e_1,v=tr+e_2)$, the possible solutions are easy to find, so Kyber is $Q_{1}nI$.

The same thing for FrodoKEM-NIST, Key Encapsulation Mechanism, it uses the public key $(A,B)$ where $B=As+e$, the encapsulation is: $(B^{\prime },C)=(A{s}^{\prime }+e^{\prime },B^T{s}^{\prime }+e^{″})$.

In Dilithium-NIST, Digital Signature Algorithm, the public key is $(A,t)$ where $t=A{s}_1+s_2$, ($s_1,s_2$) is the secret key. The signature function computes $(z,r)=(y+Hash(Ay,m)s_1,Hash(Ay,m)s_2)$ where y is random.

The system, $QE:Q{e}_1:A{s}_1+s_2,Q{e}_2:y+H(Ay,m)s_1,Q{e}_3:H(Ay,m)s_2$, satisfies QP definition. We note that $Q{e}_1\cap Q{e}_2=\left\{s_1\right\}$, and $Q{e}_1\cap Q{e}_3=\left\{s_2\right\}$, so it is not DQP but CQP. The common variable A is not considered because it is public. In $Q{e}_3$, we put $y=s_2$; y will not be changed for two different inputs, so the scheme is PQP, also for two different instances of the same inputs, so it is PPQP. Consequently, Dilithium is not FQP nor IQP. With given $(z,r)$ in $(z=y+Hash(Ay,m)s_1,r=Hash(Ay,m)s_2)$, the possible solutions for $(m,y,s_1,s_2)$ are not easy to find, so Dilithium is $Q_{2}nI$.

As for McEliece-NIST public-key encryption, the public key is $G^{\prime }$ where $G^{\prime }=SGP$, ($S,G,P$) is the secret key. The encryption function computes $c=m{G}^{\prime }+e$ where e is random. The system is $QE:Q{e}_1:SGP,Q{e}_2:m{G}^{\prime }+e$. We note that $Q{e}_1\cap Q{e}_2=\left\{G^{\prime }\right\}$, so the system is not DQP but CQP. In $Q{e}_2$, we put $x=m{G}^{\prime },y=e$; $x,y$ will be changed for two different inputs, so it is TQP, not for two different instances of the same inputs, so it is PPQP. In SBC, we put $x_1=m,x_2=G^{\prime }$; $G^{\prime }$ will not be changed for two instances of the same input, so it is not FQP; consequently, McEliece is not IQP. With a given $(G^{\prime },c)$ in $(G^{\prime }=SGP,c=m{G}^{\prime }+e)$, the possible solutions for (S, G, P, m, e) are easy to find, so Dilithium is $Q_{1}nI$.

Table 3. Classification of cryptographic schemes under QP. FQP is FPQP*, and IQP is DQP and FQP.

Scheme	QP	CQP, DQP	TQP, PQP	FPQP, PPQP	FQP	IQP	Degree
RSA	N	-	-	-	-	-	-
ElGamal	N	-	-	-	-	-	-
Gentry’s FHE	Y	DQP	TQP	FPQP	N	N	$Q_{1}nI$
Kyber	Y	CQP	TQP	FPQP	N	N	$Q_{1}nI$
FrodoKEM	Y	CQP	TQP	FPQP	N	N	$Q_{1}nI$
Dilithium	Y	CQP	PQP	PPQP	N	N	$Q_{2}nI$
McEliece	Y	CQP	TQP	PPQP	N	N	$Q_{1}nI$
OTP	Y	DQP	TQP	PPQP	N	N	$Q_{1}nI$
MFOTP	Y	DQP	TQP	FPQP	Y	Y	$Q_{1}nI$

summarizes this analysis and classification.

The QP framework establishes a novel structural foundation based on indistinguishability of preimages, aiming primarily to resist quantum adversaries. However, QP compliance, defined by satisfying the indistinguishability conditions such as Q-IND, does not automatically imply security against classical attacks. For instance, the expression $c=m·kmodp$ may satisfy the QP requirement of having multiple indistinguishable $(m,k)$ pairs that map to the same ciphertext c. However, this basic scheme is vulnerable to classical attacks, such as known-plaintext or chosen-plaintext attacks, especially if the key k is reused or low-entropy inputs are involved. In such cases, an adversary can trivially recover m or k by computing modular inverses or exploiting statistical patterns. This illustrates that not every QP-compliant scheme is secure against classical threats. As in traditional cryptography, QP-based designs must be fortified with adequate primitives and resistance to adaptive attacks to achieve robust classical and quantum security. Therefore, while QP offers a strong post-quantum abstraction, practical schemes must still undergo rigorous classical cryptanalysis.

5. Conclusions

This article introduced the QP as a new theoretical framework in cryptography and privacy-preserving, centered on the definition of novel primitives and security notions such as Q-IND and LTS. The formalism captures how digital expressions can hide information structurally, across a wide class of operations and data types, by enforcing indistinguishability as a foundational property. As an initial demonstration, we focused on specific “expression forms, data structure, and operations”, illustrating the core components of the framework. While this version did not explore the full diversity of digital data structures, QP lays the groundwork for future exploration.

Although the present work focuses on classical digital structures, extending the QP framework to operate directly on quantum states, such as qubits, remains an open direction. Such an extension would require redefining Q-expressions in the context of quantum information theory and exploring indistinguishability under quantum superposition and entanglement.