On Quantum Chosen-Ciphertext Attacks and Learning with Errors ^†

Abstract

Large-scale quantum computing poses a major threat to classical public-key cryptography. Recently, strong “quantum access” security models have shown that numerous symmetric-key cryptosystems are also vulnerable. In this paper, we consider classical encryption in a model that grants the adversary quantum oracle access to encryption and decryption, but where we restrict the latter to non-adaptive (i.e., pre-challenge) queries only. We formalize this model using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it $\mathsf{QCCA}\mathsf{1}$ in analogy to the classical $\mathsf{CCA}\mathsf{1}$ security model. We show that the standard pseudorandom function ($\mathsf{PRF}$)-based encryption schemes are $\mathsf{QCCA}\mathsf{1}$-secure when instantiated with quantum-secure primitives. Our security proofs use a strong bound on quantum random-access codes with shared randomness. Revisiting plain $\mathsf{IND}-\mathsf{CPA}$-secure Learning with Errors ($\mathsf{LWE}$) encryption, we show that leaking only a single quantum decryption query (and no other leakage or queries of any kind) allows the adversary to recover the full secret key with constant success probability. Information-theoretically, full recovery of the key in the classical setting requires at least a linear number of decryption queries. Our results thus challenge the notion that $\mathsf{LWE}$ is unconditionally “just as secure” quantumly as it is classically. The algorithm at the core of our attack is a new variant of the well-known Bernstein–Vazirani algorithm. Finally, we emphasize that our results should not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones.

1. Introduction

1.1. Background

Full-fledged quantum computers with millions of logical qubits threaten classical cryptography dramatically. The ability of such devices to run Shor’s efficient quantum factoring algorithm (and its variants) would lead to devastation of the currently deployed public-key cryptography infrastructure [1,2]. This threat has led to significant work on so-called “post-quantum” alternatives, where a prominent category is occupied by cryptosystems based on the Learning with Errors ($\mathsf{LWE}$) problem of solving noisy linear equations over ${\mathbb{Z}}_q$ [3] and its variants [1,4]. The $\mathsf{LWE}$ problem is closely related to lattice problems and is widely believed to be intractable even for quantum computers. It thus forms the basis for a number of candidate post-quantum cryptosystems. In addition to motivating significant work on post-quantum cryptosystems, the threat of quantum computers has also spurred general research on secure classical cryptography in the presence of quantum adversaries. One area in particular explores strong security models where a quantum adversary gains precise quantum control over portions of a classical cryptosystem. In such models, a number of basic symmetric-key primitives can be broken by simple quantum attacks based on Simon’s algorithm [5,6,7,8,9]. It is unclear if the assumption behind these models is plausible for typical physical implementations of symmetric-key cryptography. However, attacks which involve quantumly querying a classical function are always available in scenarios where the adversary has access to a circuit for the relevant function. This is certainly the case for hashing, public-key encryption, and circuit obfuscation. Moreover, understanding this model is crucial for gauging the degree to which any physical device involved in cryptography must be resistant to reverse engineering or forced quantum behavior (consider, e.g., the so-called “frozen smart card” example [10]). For instance, one may reasonably ask: what happens to the security of a classical cryptosystem when the device leaks only a single quantum query to the adversary?

When deciding which functions the adversary might have (quantum) access to, it is worth recalling the classical setting. For classical symmetric-key encryption, a standard approach considers the security of cryptosystems when exposed to so-called chosen-plaintext attacks ($\mathsf{CPA}$). This notion encompasses all attacks in which an adversary attempts to defeat security (by, e.g., distinguishing ciphertexts or extracting key information) using oracle access to the function which encrypts plaintexts with the secret key. This approach has been highly successful in developing cryptosystems secure against a wide range of realistic real-world attacks. One devastating attack that allows an adversary to exercise precise control over a cryptosystem is characterized by a chosen-ciphertext attack ($\mathsf{CCA}$). In this scenario, the attacker receives adaptive access to the encryption and decryption procedures of a cryptosystem, i.e., the attacker is able to choose plaintexts and ciphertexts that depend on previous outcomes of the attack. Despite their strong security requirements, chosen-ciphertext attacks are often perfectly realistic. Surprisingly, even widely adopted cryptosystems such as RSA have been shown to be vulnerable. For example, a well-known attack due to Bleichenbacher [11] only requires access to an oracle that decides if the input ciphertext is encrypted according to a particular RSA standard.

In this work, we consider analogues of both $\mathsf{CPA}$ and $\mathsf{CCA}$ attacks, in which the relevant functions are quantumly accessible to the adversary. Prior works have formalized the quantum-accessible model for classical cryptography in several settings, including unforgeable message authentication codes and digital signatures [12,13], encryption secure against quantum chosen-plaintext attacks ($\mathsf{QCPA}$) [10,14], and encryption secure against adaptive quantum chosen-ciphertext attacks ($\mathsf{QCCA}\mathsf{2}$) [12]. Gagliardoni, Hülsing and Schaffner also consider a wide range of indistinguishability and semantic-security models within the $\mathsf{QCPA}$ framework [10].

1.2. Our Contributions

1.2.1. The Model

In this work, we consider a quantum-secure model of encryption called $\mathsf{QCCA}\mathsf{1}$. This model grants non-adaptive access to the decryption oracle, and is thus intermediate between $\mathsf{QCPA}$ and $\mathsf{QCCA}\mathsf{2}$. Studying weaker and intermediate models is a standard and useful practice in theoretical cryptography. In fact, $\mathsf{CPA}$ and CCA2 are intermediate models themselves, since they are both strictly weaker than authenticated encryption. Our particular intermediate model is naturally motivated: it is sufficent for a new and interesting quantum attack on $\mathsf{LWE}$ encryption. As is typical, the challenge in $\mathsf{QCCA}\mathsf{1}$ can be semantic, or take the form of an indistinguishability test, where the adversary supplies two challenge plaintexts $(m_0,m_1)$, receives a challenge ciphertext ${\mathsf{Enc}}_k\left(m_b\right)$ for random b, and must correctly guess b. Alternatively, the challenge can be semantic, where the adversary receives partial information about a plaintext m, and is tasked with outputting some additional information about m by making use of its encryption ${\mathsf{Enc}}_k\left(m\right)$. This leads to natural security notions for symmetric-key encryption, which we call $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ and $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$, respectively. Following previous works, it is straightforward to define both $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ and $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$ formally, and prove that they are equivalent [10,12,14].

We then prove $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ security for two symmetric-key encryption schemes, based on standard assumptions. Specifically, we show that the standard encryption schemes based on quantum-secure pseudorandom functions ($\mathsf{QPRF}$) and quantum-secure pseudorandom permutations ($\mathsf{QPRP}$) are both $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$. We remark that both $\mathsf{QPRF}$ s and $\mathsf{QPRP}$ s can be constructed from quantum-secure one-way functions [15,16]. Our security proofs use a novel technique, in which we control the amount of information that the adversary can extract from the oracles and store in their internal quantum state (prior to the challenge) by means of a certain bound on quantum random-access codes.

1.2.2. A Quantum-Query Attack on $\mathsf{LWE}$

We then revisit the aforementioned question: what happens to a post-quantum cryptosystem if it leaks a single quantum query? Our main result is that standard $\mathsf{IND}-\mathsf{CPA}$-secure $\mathsf{LWE}$-based encryption schemes can be completely broken using only a single quantum decryption query and no other queries or leakage of any kind. In our attack, the adversary recovers the complete secret key with constant success probability. In standard bit-by-bit $\mathsf{LWE}$ encryption, a single classical decryption query can yield at most one bit of the secret key; The classical analogue of our attack thus requires $nlogq$ queries. The attack is essentially an application of a modulo-q variant of the Bernstein–Vazirani algorithm [17]. Our new analysis shows that this algorithm correctly recovers the key with constant success probability, despite the decryption function only returning an inner product which is rounded to one of two values. We show that the attack applies to four variants of standard $\mathsf{IND}-\mathsf{CPA}$-secure $\mathsf{LWE}$-based encryption: The symmetric-key and public-key systems originally described by Regev [3], the $\mathsf{FrodoPKE}$ scheme ($\mathsf{FrodoPKE}$ is an $\mathsf{IND}-\mathsf{CPA}$-secure building block in the $\mathsf{IND}-\mathsf{CCA}\mathsf{2}$-secure post-quantum cryptosystem “FrodoKEM” [18]. Our results do not affect the post-quantum security of Frodo and do not contradict the $\mathsf{CCA}\mathsf{2}$ security of FrodoKEM.) [18,19], and standard $\mathsf{Ring}-\mathsf{LWE}$  [20,21].

Finally, we consider a setting where the adversary receives one quantum encryption query, including access to the randomness register. We show that a similar algorithm again leads to complete key recovery in this model. In this case, the analysis amounts to the observation of Grilo et al. that the $\mathsf{LWE}$ problem becomes easy with access to quantum samples [22].

The novelty of our results on $\mathsf{LWE}$ is as follows. First, we show that a variant of the Bernstein–Vazirani algorithm succeeds even if the parameters correspond to a broad cryptographic security model; second, we show that this leads to a dramatic quantum speed-up in an actual attack: full key-recovery with a single quantum query in each case.

1.2.3. Important Caveats

Our results challenge the view that $\mathsf{LWE}$ encryption is “just as secure” classically as it is quantum in any real-world application; notably, this intuition stems from the conjecture that quantum computers do not seem to solve the standard $\mathsf{LWE}$ problem much faster than classical computers. Nonetheless, the reader is cautioned to interpret our work carefully. Our results do not indicate a weakness in $\mathsf{LWE}$ (or any $\mathsf{LWE}$-based cryptosystem) in the standard post-quantum security model. Since it is widely believed that quantum-algorithmic attacks will need to be launched over purely classical channels, post-quantum security does not allow for quantum queries to encryption or decryption oracles. Moreover, while our attack does offer a dramatic quantum speedup (i.e., one query vs. linear queries), the classical attack is already efficient.

The plain $\mathsf{LWE}$-based encryption schemes we consider in this work are already vulnerable to decryption queries in a purely classical attack model. In particular, we remark that one classical decryption query can produce at most one bit of the $(nlogq)$-bit key. Similarly, a classical encryption query which can access also the randomness used in the encryption can produce at most $logq$ bits of the key. Our results should thus not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., $\mathsf{IND}-\mathsf{CPA}$). The proper interpretation is that, if these cryptosystems are exposed to chosen-ciphertext attacks, then quantum attacks can be even more devastating than classical ones. Finally, we remark that schemes we attack can me modified to achieve chosen-ciphertext security [23].

1.2.4. Related Work

We remark that Grilo, Kerenidis and Zijlstra recently observed that a version of $\mathsf{LWE}$ with so-called “quantum samples” can be solved efficiently (as a learning problem) using Bernstein–Vazirani [22]. Our result, by contrast, demonstrates an actual cryptographic attack on standard cryptosystems based on $\mathsf{LWE}$, in a plausible security setting. Moreover, in terms of solving the learning problem, our analysis shows that constant success probability is achievable with only a single query, whereas [22] require a number of queries which is at least linear in the modulus q. In particular, our cryptographic attack succeeds with a single query even for superpolynomial modulus.

1.3. Technical Summary of Results

1.3.1. Security Model and Basic Definitions

First, we set down the basic $\mathsf{QCCA}\mathsf{1}$ security model, adapting the ideas of [10,13]. Recall that an encryption scheme is a triple $\mathsf{\Pi }=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ of algorithms (key generation, encryption, and decryption, respectively) satisfying ${\mathsf{Dec}}_k\left({\mathsf{Enc}}_k\left(m\right)\right)=m$ for any key $k\leftarrow \mathsf{KeyGen}$ and message m. Here, $\mathsf{KeyGen}$ represents a procedure for generating a key, $\mathsf{Enc}$ represents the encryption procedure, and $\mathsf{Dec}$ the decryption procedure. In what follows, all oracles are quantum, meaning that a function f is accessed via the unitary operator $|x⟩|y⟩\mapsto |x⟩|y\oplus f\left(x\right)⟩$. We define ciphertext indistinguishability and semantic security as follows.

Definition 1

(informal). Π is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ if no quantum polynomial-time algorithm ($\mathsf{QPT}$) $\mathcal{A}$ can succeed at the following experiment with probability better than $1/2+negl\left(n\right)$.

1. 

a key $k\leftarrow \mathsf{KeyGen}\left(1^n\right)$ and a uniformly random bit $b\stackrel{\$}{\leftarrow }\{0,1\}$ are generated; $\mathcal{A}$ gets access to oracles ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$, and outputs $(m_0,m_1)$;

2. 

$\mathcal{A}$ receives ${\mathsf{Enc}}_k\left(m_b\right)$ and gets access to an oracle for ${\mathsf{Enc}}_k$ only, and outputs a bit $b^{\prime }$; $\mathcal{A}$ wins if $b=b^{\prime }$.

Definition 2

(informal). Consider the following game with a $\mathsf{QPT}$ $\mathcal{A}$.

1. 

a key $k\leftarrow \mathsf{KeyGen}\left(1^n\right)$ is generated; $\mathcal{A}$ gets access to oracles ${\mathsf{Enc}}_k$, ${\mathsf{Dec}}_k$ and outputs circuits $(\mathsf{Samp},h,f)$;

2. 

Sample $m\leftarrow \mathsf{Samp}$; $\mathcal{A}$ receives $h\left(m\right)$, ${\mathsf{Enc}}_k\left(m\right)$, and access to an oracle for ${\mathsf{Enc}}_k$ only, and outputs a string s; $\mathcal{A}$ wins if $s=f\left(m\right)$.

Then Π is $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$ if for every $\mathsf{QPT}$ $\mathcal{A}$ there exists a $\mathsf{QPT}$ $\mathcal{S}$ with the same winning probability but which does not get ${\mathsf{Enc}}_k\left(m\right)$ in step 2.

The following fact is straightforward.

Theorem 1.

A classical symmetric-key encryption scheme is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ if and only if it is $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$.

1.3.2. Secure Constructions

Next, we show that standard pseudorandom-function-based encryption is $\mathsf{QCCA}\mathsf{1}$-secure, provided that the underlying $\mathsf{PRF}$ is quantum-secure (i.e., is a $\mathsf{QPRF}$.) a $\mathsf{QPRF}$ can be constructed from any quantum-secure one-way function, or directly from the $\mathsf{LWE}$ assumption [15]. Given a $\mathsf{PRF}$ $f={\left\{f_k\right\}}_k$, define $\mathsf{PRFscheme}\left[f\right]$ to be the scheme which encrypts a plaintext m using randomness r via ${\mathsf{Enc}}_k(m;r)=(r,f_k\left(r\right)\oplus m)$ and decrypts in the obvious way.

Theorem 2.

If f is a $\mathsf{QPRF}$, then $\mathsf{PRFscheme}\left[f\right]$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$-secure.

We also analyze a standard permutation-based scheme. Quantum-secure $\mathsf{PRP}$ s (i.e., $\mathsf{QPRP}$ s) can be obtained from quantum-secure one-way functions [16]. Given a $\mathsf{PRP}$ $P={\left\{P_k\right\}}_k$, define $\mathsf{PRPscheme}\left[P\right]$ to be the scheme that encrypts a plaintext m using randomness r via ${\mathsf{Enc}}_k(m;r)=P_k\left(m\right|\left|r\right)$, where $\left|\right|$ denotes concatenation; to decrypt, one applies $P_k^{-1}$ and discards the randomness bits. We show the following.

Theorem 3.

If P is a $\mathsf{QPRP}$, then $\mathsf{PRPscheme}\left[P\right]$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$-secure.

We briefly describe our proof techniques for Theorems 2 and 3. In the indistinguishability game, the adversary can use the decryption oracle prior to the challenge to (quantumly) encode information about the relevant pseudorandom function instance (i.e., $f_k$ or $P_k$) in their private, poly-sized quantum memory. From this point of view, establishing security means showing that this encoded information cannot help the adversary compute the value of the relevant function at the particular randomness used in the challenge. To prove this, we use a bound on quantum random access codes ($\mathsf{QRAC}$). Informally, a $\mathsf{QRAC}$ is a mapping from N-bit strings x to d-dimensional quantum states ${\varrho }_x$, such that given ${\varrho }_x$, and any index $j\in \left[N\right]$, the bit $x_j$ can be recovered with some probability $p_{x,j}=\frac{1}{2}+{ϵ}_{x,j}$. The average bias of such a code is the expected value of ${ϵ}_{x,j}$, over uniform x and j. A $\mathsf{QRAC}$ with shared randomness further allows the encoding and decoding procedures to both depend on some random variable.

Lemma 1.

The average bias of a quantum random access code with shared randomness that encodes N bits into a d-dimensional quantum state is $O\left(\sqrt{N^{-1}logd}\right)$. In particular, if $N=2^n$ and $d=2^{poly\left(n\right)}$ the bias is $O(2^{-n/2}poly\left(n\right))$.

The proof of Theorem 3 is similar to that of Theorem 2.

1.3.3. Key Recovery Against LWE

Our attack on $\mathsf{LWE}$ encryption will make use of a new analysis of the performance of a large-modulus variant of the Bernstein–Vazirani algorithm [17], in the presence of a certain type of “rounding” noise.

1.3.4. Quantum Algorithm for Linear Rounding Functions

In the simplest case we analyze, the oracle outputs 0 if the inner product is small, and 1 otherwise. Specifically, given integers $n\ge 1$ and $q\ge 2$, we consider keyed families of (binary) linear rounding functions, ${\mathsf{LRF}}_{\mathit{k},q}:{\mathbb{Z}}_q^n⟶\{0,1\}$, with key $\mathit{k}\in {\mathbb{Z}}_q^n$, as follows:

$${\mathsf{LRF}}_{\mathit{k},q}\left(\mathit{x}\right):=\left\{\begin{array}{cc}0\hfill & \mathrm{if}⟨\left|\mathit{x},\mathit{k}\right|⟩\le \lfloor \frac{q}{4}\rfloor ,\hfill \\ 1\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Here, $⟨·,·⟩$ denotes the inner product modulo q. Our main technical contribution is the following.

Theorem 4

(informal). There exists a quantum algorithm which runs in time $O\left(n\right)$, makes one quantum query to ${\mathsf{LRF}}_{\mathit{k},q}$ (with $q\ge 2$ and unknown $\mathit{k}\in {\mathbb{Z}}_q^n$), and outputs $\mathit{k}$ with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

We also show that the same algorithm succeeds against more generalized function classes, in which the oracle indicates which “segment” of ${\mathbb{Z}}_q$ the exact inner product belongs to.

1.3.5. One Quantum Query Against $\mathsf{LWE}$

Finally, we revisit our central question of interest: what happens to a post-quantum cryptosystem if it leaks a single quantum query? we show that, in standard $\mathsf{LWE}$-based schemes, the decryption function can (with some simple modifications) be viewed as a special case of a linear rounding function, as above. In standard symmetric-key or public-key $\mathsf{LWE}$, for instance, we decrypt a ciphertext $(\mathit{a},c)\in {\mathbb{Z}}_q^{n+1}$ with key $\mathit{k}$ by outputting 0 if $|c-⟨\mathit{a},\mathit{k}⟩|\le ⌊\frac{q}{4}⌋$ and 1 otherwise. In standard $\mathsf{Ring}-\mathsf{LWE}$, we decrypt a ciphertext $(u,v)$ with key k (here $u,v,k$ are polynomials in ${\mathbb{Z}}_q\left[x\right]/x^n+1$) by outputting 0 if the constant coefficient of $v-k·u$ is small, and 1 otherwise.

Each of these schemes is secure against adversaries with classical encryption oracle access, under the $\mathsf{LWE}$ assumption. If adversaries also gain classical decryption access, then it is not hard to see that a linear number of queries is necessary and sufficient to recover the private key. Our main result is that, by contrast, only a single quantum decryption query is required to achieve this total break. Indeed, in all three constructions described above, one can use the decryption oracle to build an associated oracle for a linear rounding function which hides the secret key. The following can then be shown using Theorem 4.

Theorem 5

(informal). Let Π be standard $\mathsf{LWE}$ or standard $\mathsf{Ring}-\mathsf{LWE}$ encryption (either symmetric-key, or public-key.) Let n be the security parameter. Then there is an efficient quantum algorithm that runs in time $O\left(n\right)$, uses one quantum query to the decryption function ${\mathsf{Dec}}_{\mathit{k}}$ of Π, and outputs the secret key with constant probability.

1.4. Organization

The remainder of this paper is organized as follows. In Section 2, we outline preliminary ideas that we will make use of, including cryptographic concepts, and notions from quantum algorithms. In Section 3, we define the $\mathsf{QCCA}\mathsf{1}$ model, including the two equivalent versions $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ and $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$. In Section 4, we define the $\mathsf{PRF}$ and $\mathsf{PRP}$ scheme, and show that they are $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$-secure. In Section 5, we show how a generalization of the Bernstein–Vazirani algorithm works with probability bounded from below by a constant, even when the oracle outputs some rounded value of $⟨\mathit{k},\mathit{x}⟩$ (i.e., the oracle is a linear rounding function). In Section 6, we use the results of Section 5 to prove that a single quantum decryption query is enough to recover the secret key in various versions of $\mathsf{LWE}$-encryption; we also observe a similar result for a model in which the adversary can make one quantum encryption query with partial access to the randomness register.

2. Preliminaries

2.1. Basic Notation and Conventions

Selecting an element x uniformly at random from a finite set X will be written as $x\stackrel{\$}{\leftarrow }X$. If we are generating a vector or matrix with entries in ${\mathbb{Z}}_q$ by sampling each entry independently according to a distribution $\chi$ on ${\mathbb{Z}}_q$, we will write, e.g., $\mathit{v}\stackrel{\chi }{\leftarrow }{\mathbb{Z}}_q^n$. Given a matrix $\mathit{A}$, ${\mathit{A}}^{\mathsf{T}}$ will denote the transpose of A. We will view elements $\mathit{v}$ of ${\mathbb{Z}}_q^n$ as column vectors; The notation ${\mathit{v}}^{\mathsf{T}}$ then denotes the corresponding row vector. We use bold fonts to discriminate between vectors (or matrices) and scalars. The Kronecker delta ${\delta }_{ij}$ of two nonnegative integers i and j is equal to 1 if $i=j$, and 0 otherwise. The notation $negl\left(n\right)$ denotes some function of n which is smaller than every inverse-polynomial. We denote the concatenation of strings x and y by $x\left|\right|y$. We abbreviate classical probabilistic polynomial-time algorithms as $\mathsf{PPT}$ algorithms. By quantum algorithm (or $\mathsf{QPT}$) we mean a polynomial-time uniform family of quantum circuits, where each circuit in the family is described by a sequence of unitary gates and measurements. In general, such an algorithm may receive (mixed) quantum states as inputs and produce (mixed) quantum states as outputs. Sometimes we will restrict $\mathsf{QPT}$s implicitly; for example, if we write $Pr[\mathcal{A}\left(1^n\right)=1]$ for a $\mathsf{QPT}$ $\mathcal{A}$, it is implicit that we are only considering those $\mathsf{QPT}$s that output a single classical bit. The notation $Pr[1\leftarrow \mathrm{G}\mathrm{AME}0]$ denotes the probability that a $\mathsf{QPT}\mathcal{A}$ outputs 1 in some security game $\mathrm{G}\mathrm{AME}0$.

Every function $f:{\{0,1\}}^m\to {\{0,1\}}^{\ell }$ determines a unitary operator $U_f:|x⟩|y⟩\to |x⟩|y\oplus f\left(x\right)⟩$ on $m+\ell$ qubits where $x\in {\{0,1\}}^m$ and $y\in {\{0,1\}}^{\ell }$. In this work, when we say that a quantum algorithm $\mathcal{A}$ gets (adaptive) oracle access to f (written ${\mathcal{A}}^f$), we mean that $\mathcal{A}$ can apply the oracle unitary $U_f$. This quantum oracle will sometimes also be denoted by ${\mathcal{O}}_f$.

Recall that a symmetric-key encryption scheme is a triple of classical probabilistic algorithms $(\mathsf{KeyGen}, \mathsf{Enc}, \mathsf{Dec})$ whose run-times are polynomial in some security parameter n. Such a scheme must satisfy the following property: when a key k is sampled by running $\mathsf{KeyGen}\left(1^n\right)$, then it holds that ${\mathsf{Dec}}_k\left({\mathsf{Enc}}_k\left(m\right)\right)=m$ for all m except with negligible probability in n. In this work, all encryption schemes will be fixed-length, i.e., the length of the message m will be a fixed (at most polynomial) function of n.

Since the security notions we study are unachievable in the information-theoretic setting, all adversaries will be modeled by $\mathsf{QPT}$s. When security experiments require multiple rounds of interaction with the adversary, it is implicit that $\mathcal{A}$ is split into multiple $\mathsf{QPT}$s (one for each round), and that these algorithms forward their internal (quantum) state to the next algorithm in the sequence.

2.2. Basic Number Theory Notation

We briefly review the following mathematical conventions. We denote the greatest common divisor (gcd) between two integers $a,b\in \mathbb{N}$ as $gcd(a,b)$. The multiplicative group of integers modulo a prime q is denoted as ${\mathbb{Z}}_q^{\times }$. Recall that for $m\in \mathbb{N}$, the Euler totient function $\phi \left(m\right)$ counts the number of positive integers up to m that are relatively prime to m. The Möbius function $\mu \left(n\right)$ is defined as the sum of the primitive n-th roots of unity. Finally, we also recall that $\omega \left(m\right)$ denotes the prime omega function which counts the number of distinct prime factors of an integer $m\in \mathbb{N}$.

2.3. Quantum-Secure Pseudorandomness

A pseudorandom function is a family of deterministic and efficiently computable functions that appear random to any $\mathsf{PPT}$ adversary with adaptive (classical) oracle access. Similarly, a quantum-secure pseudorandom function achieves security against $\mathsf{QPT}$ adversaries with adaptive quantum oracle access. More specifically, let $f:{\{0,1\}}^n\times {\{0,1\}}^m\to {\{0,1\}}^{\ell }$ be an efficiently computable function, where $n,m,\ell$ are integers and where f defines a family of functions ${\left\{f_k\right\}}_{k\in {\{0,1\}}^n}$ with $f_k\left(x\right)=f(k,x)$. We say f is a quantum-secure pseudorandom function (or $\mathsf{QPRF}$) if, for every $\mathsf{QPT}$  $\mathcal{A}$,

$$\left|\underset{k\stackrel{\$}{\leftarrow }{\{0,1\}}^n}{Pr}\left[{\mathcal{A}}^{f_k}\left(1^n\right)=1\right]-\underset{g\stackrel{\$}{\leftarrow }{\mathcal{F}}_m^{\ell }}{Pr}\left[{\mathcal{A}}^g\left(1^n\right)=1\right]\right|\le negl\left(n\right).$$

(1)

Here, ${\mathcal{F}}_m^{\ell }$ denotes the set of all functions from ${\{0,1\}}^m$ to ${\{0,1\}}^{\ell }$. The standard method for constructing a pseudorandom function from a one-way function produces a $\mathsf{QPRF}$, provided that the one-way function is quantum-secure [15,24,25].

A quantum-secure pseudorandom permutation is a a bijective function family of quantum-secure pseudorandom functions. More specifically, consider a function $P:{\{0,1\}}^n\times {\{0,1\}}^m\to {\{0,1\}}^m$, where n and m are integers, such that each function $P_k\left(x\right)=P(k,x)$ in the corresponding family ${\left\{P_k\right\}}_{k\in {\{0,1\}}^n}$ is bijective. We say P is a quantum-secure pseudorandom permutation (or $\mathsf{QPRP}$) if, for every $\mathsf{QPT}$ $\mathcal{A}$ with access to both the function and its inverse,

$$\left|\underset{k\stackrel{\$}{\leftarrow }{\{0,1\}}^n}{Pr}\left[{\mathcal{A}}^{P_k,P_k^{-1}}\left(1^n\right)=1\right]-\underset{\pi \stackrel{\$}{\leftarrow }{\mathcal{P}}_m}{Pr}\left[{\mathcal{A}}^{\pi ,{\pi }^{-1}}\left(1^n\right)=1\right]\right|\le negl\left(n\right),$$

(2)

where ${\mathcal{P}}_m$ denotes the set of permutations over m-bit strings. Throughout this work, we shall assume strong $\mathsf{QPRP}$ s under the above definition, i.e., such that the security is maintained despite additional access to an inverse. One can construct $\mathsf{QPRP}$ s from quantum-secure one-way functions [16].

2.4. Quantum Random Access Codes

A quantum random access code ($\mathsf{QRAC}$) is a two-party scheme for the following scenario involving two parties Alice and Bob [26]:

• Alice gets $x\in {\{0,1\}}^N$ and encodes it as a d-dimensional quantum state ${\varrho }_x$.
• Bob receives ${\varrho }_x$ from Alice, and some index $i\in \{1,\cdots ,N\}$, and is asked to recover the i-th bit of x, by performing some measurement on ${\varrho }_x$.
• They win if Bob’s output agrees with $x_i$ and lose otherwise.

We can view a $\mathsf{QRAC}$ scheme as a pair of (not necessarily efficient) quantum algorithms: one for encoding, and another for decoding. We remark that the definition of a $\mathsf{QRAC}$ does not require a bound on the number of qubits; The interesting question is with what parameters a $\mathsf{QRAC}$ can actually exist.

A variation of the above scenario allows Alice and Bob to use shared randomness in their encoding and decoding operations [27] (note that shared randomness per se does not allow them to communicate). Hence, Alice and Bob can pursue probabilistic strategies with access to the same random variable. Finally, the definition also takes into account that the encoder and decoder are allowed to share an entangled state as part of ${\varrho }_x$.

Define the average bias of a $\mathsf{QRAC}$ with shared randomness as $ϵ=p_{\mathrm{win}}-1/2$, where $p_{\mathrm{win}}$ is the winning probability averaged over $x\stackrel{\$}{\leftarrow }{\{0,1\}}^N$ and $i\stackrel{\$}{\leftarrow }\{1,\cdots ,N\}$.

2.5. Quantum Fourier Transform

For any positive integer q, the quantum Fourier transform over ${\mathbb{Z}}_q$ is defined by the operation

$${\mathsf{QFT}}_{{\mathbb{Z}}_q}|x⟩=\frac{1}{\sqrt{q}}\sum _{y\in {\mathbb{Z}}_q}{\omega }_q^{x·y}|y⟩,$$

where ${\omega }_q=e^{\frac{2\pi i}{q}}$. Due to early work by Kitaev [28], this variant of the Fourier transform can be implemented using quantum phase estimation in complexity polynomial in $logq$. An improved approximate implementation of this operation is due to Hales and Hallgren [29].

3. The QCCA1 Security Model

3.1. Quantum Oracles

In our setting, adversaries will (at various times) have quantum oracle access to the classical functions ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$. The case of the deterministic decryption function ${\mathsf{Dec}}_k$ is simple: The adversary gets access to the unitary operator $U_{{\mathsf{Dec}}_k}:|c⟩|m⟩\mapsto |c⟩|m\oplus {\mathsf{Dec}}_k\left(c\right)⟩.$ For encryption, to satisfy $\mathsf{IND}-\mathsf{CPA}$ security, ${\mathsf{Enc}}_k$ must be probabilistic and thus does not correspond to any single unitary operator. Instead, each encryption oracle call of the adversary will be answered by applying a unitary sampled uniformly from the family ${\left\{U_{{\mathsf{Enc}}_k,r}\right\}}_r$ where

$$U_{{\mathsf{Enc}}_k,r}:|m⟩|c⟩\mapsto |m⟩|c\oplus {\mathsf{Enc}}_k(m;r)⟩$$

and r varies over all the possible values of the randomness register of ${\mathsf{Enc}}_k$. Note that, since ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$ are required to be probabilistic polynomial-time algorithms provided by the underlying classical symmetric-key encryption scheme, both $U_{{\mathsf{Enc}}_k,r}$ and $U_{{\mathsf{Dec}}_k}$ correspond to efficient and reversible quantum operations. For the sake of brevity, we adopt the convenient notation ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$ to refer to the above quantum oracles for encryption and decryption respectively.

3.2. Ciphertext Indistinguishability

We now define indistinguishability of encryptions (for classical, symmetric-key schemes) against non-adaptive quantum chosen-ciphertext attacks.

Definition 3

($\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$). Let $\mathsf{\Pi }=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ be an encryption scheme, $\mathcal{A}$ a $\mathsf{QPT}$, and n the security parameter. Define $\mathsf{IndGame}(\mathsf{\Pi },\mathcal{A},n)$ as follows.

1. 

Setup: a key $k\leftarrow \mathsf{KeyGen}\left(1^n\right)$ and a bit $b\stackrel{\$}{\leftarrow }\{0,1\}$ are generated;

2. 

Pre-challenge:$\mathcal{A}$ gets access to oracles ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$, and outputs $(m_0,m_1)$;

3. 

Challenge:$\mathcal{A}$ gets ${\mathsf{Enc}}_k\left(m_b\right)$ and access to ${\mathsf{Enc}}_k$ only, and outputs a bit $b^{\prime }$;

4. 

Resolution:$\mathcal{A}$ wins if $b=b^{\prime }$.

Then Π has indistinguishable encryptions under non-adaptive quantum chosen ciphertext attack (or is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$) if, for every $\mathsf{QPT}$ $\mathcal{A}$,

$$Pr[⊣wins\mathsf{IndGame}(\mathsf{\Pi },\mathcal{A},n\left)\right]\le 1/2+negl\left(n\right).$$

By inspection, one immediately sees that our definition lies between the established notions of $\mathsf{IND}-\mathsf{QCPA}$ and $\mathsf{IND}-\mathsf{QCCA}\mathsf{2}$  [10,12,14]. It will later be convenient to work with a variant of the game $\mathsf{IndGame}$, which we now define.

Definition 4

(${\mathsf{IndGame}}^{\prime }$). We define the experiment ${\mathsf{IndGame}}^{\prime }(\mathsf{\Pi },\mathcal{A},n)$ just as $\mathsf{IndGame}(\mathsf{\Pi },\mathcal{A},n)$, except that in the pre-challenge phase $\mathcal{A}$ only outputs a single message m, and in the challenge phase $\mathcal{A}$ receives ${\mathsf{Enc}}_k\left(m\right)$ if $b=0$, and ${\mathsf{Enc}}_k\left(x\right)$ for a uniformly random message x if $b=1$.

Working with ${\mathsf{IndGame}}^{\prime }$ rather than $\mathsf{IndGame}$ does not change security. Specifically (as we show in Appendix A.2), $\mathsf{\Pi }$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ if and only if, for every $\mathsf{QPT}$ $\mathcal{A}$, $Pr[⊣wins{\mathsf{IndGame}}^{\prime }(\mathsf{\Pi },\mathcal{A},n)]\le 1/2+negl\left(n\right).$

3.3. Semantic Security

In semantic security, rather than choosing a pair of challenge plaintexts, the adversary chooses a challenge template: a triple of circuits $(\mathsf{Samp},h,f)$, where $\mathsf{Samp}$ outputs plaintexts from some distribution ${\mathcal{D}}_{\mathsf{Samp}}$, and h and f are functions with domain the support of ${\mathcal{D}}_{\mathsf{Samp}}$. The intuition is that $\mathsf{Samp}$ is a distribution of plaintexts m for which the adversary, if given information $h\left(m\right)$ about m together with an encryption of m, can produce some new information $f\left(m\right)$.

Definition 5

($\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$). Let $\mathsf{\Pi }=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ be an encryption scheme, and consider the experiment $\mathsf{SemGame}\left(b\right)$ (with parameter $b\in \{\mathsf{real},\mathsf{sim}\}$) with a $\mathsf{QPT}$ $\mathcal{A}$, defined as follows.

1. 

Setup:a key $k\leftarrow \mathsf{KeyGen}\left(1^n\right)$ is generated;

2. 

Pre-challenge: $\mathcal{A}$ gets access to oracles ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$, and outputs a challenge template $(\mathsf{Samp},h,f)$;

3. 

Challenge: a plaintext $m\stackrel{\$}{\leftarrow }\mathsf{Samp}$ is generated; $\mathcal{A}$ receives $h\left(m\right)$ and gets access to an oracle for ${\mathsf{Enc}}_k$ only; if $b=\mathsf{real}$, $\mathcal{A}$ also receives ${\mathsf{Enc}}_k\left(m\right)$; $\mathcal{A}$ outputs a string s;

4. 

Resolution: $\mathcal{A}$ wins if $s=f\left(m\right)$.

Π has semantic security under non-adaptive quantum chosen ciphertext attack (or is $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$) if, for every $\mathsf{QPT}$ $\mathcal{A}$, there exists a $\mathsf{QPT}$ $\mathcal{S}$ such that the challenge templates output by $\mathcal{A}$ and $\mathcal{S}$ are identically distributed, and

$$\left|Pr[⊣wins\mathsf{SemGame}(\mathsf{real}\left)\right]-Pr\left[\mathcal{S}wins\mathsf{SemGame}\right(\mathsf{sim}\left)\right]\right|\le negl\left(n\right).$$

Our definition is a straightforward modification of $\mathsf{SEM}-\mathsf{QCPA}$  [10,12]; The modification is to give $\mathcal{A}$ and $\mathcal{S}$ oracle access to ${\mathsf{Dec}}_k$ in the pre-challenge phase.

Theorem 6.

Let $\mathsf{\Pi }=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ be a symmetric-key encryption scheme. Then, Π is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$-secure if and only if Π is $\mathsf{SEM}-\mathsf{QCCA}\mathsf{1}$-secure.

The classical proof of the above (see, e.g., [30]) carries over directly to the quantum case. This was already observed for the case of $\mathsf{QCPA}$ by [10], and extends straightforwardly to the case where both the adversary and the simulator gain oracle access to ${\mathsf{Dec}}_k$ in the pre-challenge phase. In fact, the proof works even if ${\mathsf{Dec}}_k$ access is maintained during the challenge, so the result is really that $\mathsf{IND}-\mathsf{QCCA}\mathsf{2}$ is equivalent to $\mathsf{SEM}-\mathsf{QCCA}\mathsf{2}$.

4. Secure Constructions

4.1. $\mathsf{PRF}$ Scheme

Let us first recall the standard symmetric-key encryption based on pseudorandom functions.

Construction 1

($\mathsf{PRF}$ scheme). Let n be the security parameter and let $f:{\{0,1\}}^n\times {\{0,1\}}^n⟶{\{0,1\}}^n$ be an efficient family of functions ${\left\{f_k\right\}}_k$. The symmetric-key encryption scheme $\mathsf{PRFscheme}\left[f\right]=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ is defined by the following efficient algorithms:

1. 

$\mathsf{KeyGen}$: output a key $\mathit{k}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$;

2. 

$\mathsf{Enc}$: to encrypt a message $\mathit{m}$, choose a random string $\mathit{r}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ and output $(\mathit{r},f_k\left(\mathit{r}\right)\oplus \mathit{m})$;

3. 

$\mathsf{Dec}$: to decrypt a ciphertext $(\mathit{r},\mathit{c})$, output $\mathit{c}\oplus f_k\left(\mathit{r}\right)$;

For simplicity, we chose a particularly simple set of parameters for the $\mathsf{PRF}$, so that key length, input size, and output size are all equal to the security parameter. It is straightforward to check that the definition (and our results below) are valid for arbitrary polynomial-size parameter choices.

We show that the above scheme satisfies $\mathsf{QCCA}\mathsf{1}$, provided that the underlying $\mathsf{PRF}$ is secure against quantum queries.

Theorem 7.

If f is a $\mathsf{QPRF}$, then $\mathsf{PRFscheme}\left[f\right]$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$-secure.

Proof. 

Fix a $\mathsf{QPT}$ adversary $\mathcal{A}$ against $\mathsf{\Pi }:=\mathsf{PRFscheme}\left[f\right]=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ and let n denote the security parameter. It will be convenient to split $\mathcal{A}$ into the pre-challenge algorithm ${\mathcal{A}}_1$ and the challenge algorithm ${\mathcal{A}}_2$.

We will work with the single-message variant of $\mathsf{IndGame}$, ${\mathsf{IndGame}}^{\prime }$, described below as Game 0. In Appendix A.2, we show that $\mathsf{\Pi }$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ if and only if no $\mathsf{QPT}$ adversary can win ${\mathsf{IndGame}}^{\prime }$ with non-negligible bias. We first show that a version of ${\mathsf{IndGame}}^{\prime }$ where we replace f with a random function, called Game 1 below, is indistinguishable from ${\mathsf{IndGame}}^{\prime }$, so that the winning probabilities cannot differ by a non-negligible amount. We then prove that no adversary can win Game 1 with non-negligible bias by showing how any adversary for Game 1 can be used to make a quantum random access code with the same bias.

Game 0: 

This is the game ${\mathsf{IndGame}}^{\prime }(\mathsf{\Pi },\mathcal{A},n)$, which we briefly review for convenience (see also Figure 1). In the pre-challenge phase, ${\mathcal{A}}_1$ gets access to oracles ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$, and outputs a message $m^{*}$ while keeping a private state $|\psi ⟩$ for the challenge phase. In the challenge phase, a random bit $b\stackrel{\$}{\leftarrow }\{0,1\}$ is sampled, and ${\mathcal{A}}_2$ is run on input $|\psi ⟩$ and a challenge ciphertext

$$c^{*}:={\mathsf{\Phi }}_b\left(m^{*}\right):=\left\{\begin{array}{cc}{\mathsf{Enc}}_k\left(m^{*}\right)\hfill & \mathrm{if} b=0,\hfill \\ {\mathsf{Enc}}_k\left(x\right)\hfill & \mathrm{if} b=1.\hfill \end{array}\right.$$

Here, ${\mathsf{Enc}}_k\left(x\right):=(r^{*},f_k\left(r^{*}\right)\oplus x)$ where $r^{*}$ and x are sampled uniformly at random. In the challenge phase, ${\mathcal{A}}_2$ only has access to ${\mathsf{Enc}}_k$ and must output a bit $b^{\prime }$. $\mathcal{A}$ wins if ${\delta }_{b{b}^{\prime }}=1$, so we call ${\delta }_{b{b}^{\prime }}$ the outcome of the game.

Figure 1. ${\mathsf{IndGame}}^{\prime }$ from Definition 4.

Game 1: 

This is the same game as Game 0, except we replace $f_k$ with a uniformly random function $F:{\{0,1\}}^n\to {\{0,1\}}^n$.

First, we show that for any adversary $\mathcal{A}$, the outcome when $\mathcal{A}$ plays Game 0 is at most negligibly different from the outcome when $\mathcal{A}$ plays Game 1. We do this by constructing a quantum oracle distinguisher $\mathcal{D}$ that distinguishes between the $\mathsf{QPRF}$ ${\left\{f_k\right\}}_k$ and a true random function, with distinguishing advantage

$$\left|Pr[1\leftarrow \mathrm{G}\mathrm{AME}0]-Pr[1\leftarrow \mathrm{G}\mathrm{AME}1]\right|,$$

which must then be negligible since f is a $\mathsf{QPRF}$. The distinguisher $\mathcal{D}$ gets quantum oracle access to a function g, which is either $f_k$, for a random k, or a random function, and proceeds by simulating $\mathcal{A}$ playing ${\mathsf{IndGame}}^{\prime }$ as follows:

• Run ${\mathcal{A}}_1$, answering encryption queries using classical calls to g in place of $f_k$, and answering decryption queries using quantum oracle calls to g:

  $$|r⟩|c⟩|m⟩\mapsto |r⟩|c⟩|m\oplus c⟩\mapsto |r⟩|c⟩|m\oplus c\oplus g(r)⟩;$$
• Simulate the challenge phase by sampling $b\stackrel{\$}{\leftarrow }\{0,1\}$ and encrypting the challenge using g in place of $f_k$; run ${\mathcal{A}}_2$ and simulate encryption queries as before;
• When ${\mathcal{A}}_2$ outputs $b^{\prime }$, output ${\delta }_{b{b}^{\prime }}$.

It remains to show that no $\mathsf{QPT}$ adversary can win Game 1 with non-negligible probability. To do this, we design a quantum random access code from any adversary, and use the lower bound on the bias given in Lemma 1.

Intuition. We first give some intuition. In an encryption query, the adversary, either ${\mathcal{A}}_1$ or ${\mathcal{A}}_2$, queries a message, or a superposition of messages ${\sum }_m|m⟩$, and gets back ${\sum }_m|m⟩|r,m\oplus F\left(r\right)⟩$ for a random r, from which he can easily get a sample $(r,F(r\left)\right)$. Thus, in essence, an encryption query is just classically sampling a random point of F.

In a decryption query, which is only available to ${\mathcal{A}}_1$, the adversary sends a ciphertext, or a superposition of ciphertexts, ${\sum }_{r,c}|r,c⟩$ and gets back ${\sum }_{r,c}|r,c⟩|c\oplus F\left(r\right)⟩$, from which he can learn ${\sum }_r|r,F\left(r\right)⟩$. Thus, a decryption query allows ${\mathcal{A}}_1$ to query F, in superposition. Later in the challenge phase, ${\mathcal{A}}_2$ gets an encryption $(r^{*},m\oplus F\left(r^{*}\right))$ and must decide if $m=m^{*}$. Since ${\mathcal{A}}_2$ no longer has access to the decryption oracle, which allows him to query F, it follows there seem to be only two possible ways ${\mathcal{A}}_2$ could learn $F\left(r^{*}\right)$:

• ${\mathcal{A}}_2$ gets lucky in one of his at most $poly\left(n\right)$ many queries to ${\mathsf{Enc}}_k$ and happens to sample the challenge pair $(r^{*},F\left(r^{*}\right))$;
• Or, the adversary is somehow able to use what he learned while he had access to ${\mathsf{Dec}}_k$, and thus F, to learn $F\left(r^{*}\right)$, meaning that the $poly\left(n\right)$-sized quantum memory ${\mathcal{A}}_1$ sends to ${\mathcal{A}}_2$, that can depend on queries to F, but which cannot depend on $r^{*}$, allows ${\mathcal{A}}_2$ to learn $F\left(r^{*}\right)$.

The first possibility is exponentially unlikely, since there are $2^n$ possibilities for $r^{*}$. As we will see shortly, the second possibility would imply a very strong quantum random access code. It would essentially allow ${\mathcal{A}}_1$ to interact with F, which contains $2^n$ values, and make a state, which must necessarily be of polynomial size, such that ${\mathcal{A}}_2$ can use that state to recover $F\left(r^{*}\right)$ for any of the $2^n$ possible values of $r^{*}$, with high probability. We now formalize this intuition. To clarify notation, we will use boldface to denote the shared randomness bitstrings.

Construction of a quantum random access code. Let $\mathcal{A}$ be a $\mathsf{QPT}$ adversary with winning probability p. Let $\ell =poly\left(n\right)$ be an upper bound on the number of queries made by ${\mathcal{A}}_2$. Recall that a random access code consists of an encoding procedure that takes (in this case) $2^n$ bits $b_1,\cdots ,b_{2^n}$, and outputs a state $\varrho$ of dimension (in this case) $2^{poly\left(n\right)}$, such that a decoding procedure, given $\varrho$ and an index $j\in \{1,\cdots ,2^n\}$ outputs $b_j$ with some success probability. We define a quantum random access code as follows (see also Figure 2).

Figure 2. Quantum random access code construction for the pseudorandom function ($\mathsf{PRF}$) scheme.

Encoding. 

Let $b_1,\cdots ,b_{2^n}\in \{0,1\}$ be the string to be encoded. Let $\mathit{s},{\mathit{y}}_1,\cdots ,{\mathit{y}}_{2^n}\in {\{0,1\}}^n$ be given by the first $n(1+2^n)$ bits of the shared randomness, and let ${\mathit{r}}_1,\cdots ,{\mathit{r}}_{\ell }\in {\{0,1\}}^n$ be the next $\ell n$ bits. Define a function $\tilde{f}:{\{0,1\}}^n\to {\{0,1\}}^n$ as follows. For $\mathit{r}\in {\{0,1\}}^n$, we will slightly abuse notation by letting r denote the corresponding integer value between 1 and $2^n$. Define $\tilde{f}\left(\mathit{r}\right)={\mathit{y}}_r\oplus b_r\mathit{s}$. Run ${\mathcal{A}}_1$, answering encryption and decryption queries using $\tilde{f}$ in place of F. Let $m^{*}$ and $|\psi ⟩$ be the outputs of ${\mathcal{A}}_1$ (see Figure 1). Output $\varrho =\left(\right|\psi ⟩,m^{*},\tilde{f}\left({\mathit{r}}_1\right),\cdots ,\tilde{f}\left({\mathit{r}}_{\ell }\right))$.

Decoding. 

Let $j\in \{1,\cdots ,2^n\}$ be the index of the bit to be decoded (so given $\varrho$ as above, the goal is to recover $b_j$). Decoding will make use of the values $\mathit{s},{\mathit{y}}_1,\cdots ,{\mathit{y}}_{2^n},{\mathit{r}}_1,\cdots ,{\mathit{r}}_{\ell }$ given by the shared randomness. Upon receiving a query $j\in \{1,\cdots ,2^n\}$, run ${\mathcal{A}}_2$ with inputs $|\psi ⟩$ and $(j,m^{*}\oplus {\mathit{y}}_j)$. On ${\mathcal{A}}_2$’s i-th encryption oracle call, use randomness ${\mathit{r}}_i$, so that if the input to the oracle is $|m,c⟩$, the state returned is $|m,c\oplus ({\mathit{r}}_i,m\oplus \tilde{f}\left({\mathit{r}}_i\right))⟩$ (note that $\tilde{f}\left({\mathit{r}}_i\right)$ is given as part of $\varrho$). Return the bit $b^{\prime }$ output by ${\mathcal{A}}_2$.

Average bias of the code. we claim that the average probability of decoding correctly, taken over all choices of $b_1,\cdots ,b_{2^n}\in \{0,1\}$ and $j\in \{1,\cdots ,2^n\}$, is exactly p, the success probability of $\mathcal{A}$. To see this, first note that from $\mathcal{A}$’s perspective, this is exactly Game 1: The function $\tilde{f}$ is a uniformly random function, and the queries are responded to just as in Game 1. Further, note that if $b_j=0$, then $m^{*}\oplus {\mathit{y}}_j=m^{*}\oplus \tilde{f}\left(j\right)$, so the correct guess for ${\mathcal{A}}_2$ would be 0, and if $b_j=1$, then $m^{*}\oplus {\mathit{y}}_j=m^{*}\oplus \tilde{f}\left(j\right)\oplus \mathit{s}=\mathit{x}\oplus \tilde{f}\left(j\right)$ for the uniformly random string $\mathit{x}=m^{*}\oplus \mathit{s}$, so the correct guess for ${\mathcal{A}}_2$ would be 1.

Therefore, the average bias of the code is $p-1/2$. We also observe that $\varrho$ has dimension at most $2^{poly\left(n\right)}$, since $|\psi ⟩$ must be a $poly\left(n\right)$-qubit state (${\mathcal{A}}_1$ only runs for $poly\left(n\right)$ time), and ℓ, the number of queries made by ${\mathcal{A}}_2$ must be $poly\left(n\right)$, since ${\mathcal{A}}_2$ only runs for $poly\left(n\right)$ time. As this code encodes $2^n$ bits into a state of dimension $2^{poly\left(n\right)}$, by Lemma 1 (proven in Appendix A.1), the bias is $O(2^{-n/2}poly\left(n\right))=negl\left(n\right)$, so $p\le \frac{1}{2}+negl\left(n\right)$. □

4.2. $\mathsf{PRP}$ Scheme

We now prove the $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ security of a standard encryption scheme based on pseudorandom permutations.

Construction 2

($\mathsf{PRP}$ scheme). Let n be the security parameter and let $P:{\{0,1\}}^n\times {\{0,1\}}^{2n}⟶{\{0,1\}}^{2n}$ be an efficient family of permutations ${\left\{P_k\right\}}_k$. The symmetric-key scheme $\mathsf{PRPscheme}\left[f\right]=(\mathsf{KeyGen}, \mathsf{Enc}, \mathsf{Dec})$ is defined by the following efficient algorithms:

1. 

$\mathsf{KeyGen}$: output $k\stackrel{\$}{\leftarrow }{\{0,1\}}^n$;

2. 

$\mathsf{Enc}$: to encrypt $m\in {\{0,1\}}^n$, choose $r\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ and output $P_k\left(m\right|\left|r\right)$;

3. 

$\mathsf{Dec}$: to decrypt $c\in {\{0,1\}}^{2n}$, output the first n bits of $P_k^{-1}\left(c\right)$.

As before, we chose a simple set of parameters; in general, the randomness length, plaintext length, and security parameter can be related by arbitrary polynomials.

Theorem 8.

If P is a $\mathsf{QPRP}$, then $\mathsf{PRPscheme}\left[P\right]$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$-secure.

Proof. 

We follow a similar proof strategy as with the $\mathsf{PRF}$ scheme. Fix a $\mathsf{QPT}$ adversary $\mathcal{A}$ against $\mathsf{\Pi }:=\mathsf{PRPscheme}\left[P\right]=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$. We have that $\mathsf{\Pi }$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ if and only if no $\mathsf{QPT}$ adversary can win ${\mathsf{IndGame}}^{\prime }$ with non-negligible bias. First, we show that a version of ${\mathsf{IndGame}}^{\prime }$ where we replace P with a random permutation, described below as Game 1, is indistinguishable from ${\mathsf{IndGame}}^{\prime }$, so that the winning probabilities cannot differ by a non-negligible amount. We then prove that no adversary can win Game 1 with non-negligible bias, by showing how any adversary for Game 1 can be used to make a quantum random access code with the same bias.

Game 0: 

in the pre-challenge phase, ${\mathcal{A}}_1$ gets access to oracles ${\mathsf{Enc}}_k$ and ${\mathsf{Dec}}_k$. in the challenge phase, ${\mathcal{A}}_1$ outputs m and its private data $|\psi ⟩$; a random bit $b\stackrel{\$}{\leftarrow }\{0,1\}$ is sampled, and ${\mathcal{A}}_2$ is run on input $|\psi ⟩$ and a challenge ciphertext

$$c^{*}:=\left\{\begin{array}{cc}{\mathsf{Enc}}_k\left(m^{*}\right)=P_k(m^{*}\left|\right|r^{*})\hfill & \mathrm{if} b=0,\hfill \\ {\mathsf{Enc}}_k\left(x\right)=P_k\left(x\right||r^{*})\hfill & \mathrm{if} b=1,\hfill \end{array}\right.$$

where $r^{*}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ and x is sampled uniformly at random. In the challenge phase, ${\mathcal{A}}_2$ has oracle access to ${\mathsf{Enc}}_k$ only and outputs a bit $b^{\prime }$. The outcome of the game is simply the bit ${\delta }_{b{b}^{\prime }}$.

Game 1: 

This is the same game as Game 0, except we now replace $P_k$ with a perfectly random permutation $\pi :{\{0,1\}}^{2n}\to {\{0,1\}}^{2n}$.

We show that for any adversary $\mathcal{A}$, the outcome when $\mathcal{A}$ plays Game 0 is at most negligibly different from the outcome when $\mathcal{A}$ plays Game 1. We construct a quantum oracle distinguisher $\mathcal{D}$ that distinguishes between $P_k$ and a perfectly random permutation, with distinguishing advantage

$$\left|Pr[1\leftarrow \mathrm{G}\mathrm{AME}0]-Pr[1\leftarrow \mathrm{G}\mathrm{AME}1]\right|,$$

which must then be negligible since $P_k$ is a $\mathsf{QPRP}$. Here, the distinguisher $\mathcal{D}$ receives quantum oracle access to a function $\phi$, which is either $P_k$ for a random k, or a random permutation $\pi$, and proceeds by simulating $\mathcal{A}$ playing ${\mathsf{IndGame}}^{\prime }$ as follows:

• Run ${\mathcal{A}}_1$, answering encryption queries using oracle calls to $\phi$ in place of $P_k$, where for a given input and via randomness r,

  $$\mathsf{Enc}:|m⟩|c⟩\mapsto |m⟩|c\oplus \phi \left(m\right|\left|r\right)⟩.$$
  Answer decryption queries using quantum oracle calls to ${\tilde{\phi }}^{-1}$, a function that first computes ${\phi }^{-1}$ but then (analogous to the $\mathsf{PRP}$ construction) discards the last n bits of the pre-image corresponding to the randomness, i.e.

  $$\mathsf{Dec}:|c⟩|m⟩\mapsto |c⟩|m\oplus {\tilde{\phi }}^{-1}\left(c\right)⟩.$$
• Simulate the challenge phase by sampling $b\stackrel{\$}{\leftarrow }\{0,1\}$ and encrypting using a randomness $r^{*}$ together with a classical call to $\phi$ in place of $P_k$; run ${\mathcal{A}}_2$ and simulate encryption queries as before.
• When ${\mathcal{A}}_2$ outputs $b^{\prime }$, output ${\delta }_{b{b}^{\prime }}$.

It remains to show that no $\mathsf{QPT}$ adversary can win Game 1 with non-negligible probability. To do this, we will again design a random access code from any adversary’s strategy with success probability p, and use the lower bound on the bias given in Lemma 1. We will then construct a $\mathsf{QRAC}$ with bias $negl\left(n\right)$ from this adversary, and hence conclude that $p\le \frac{1}{2}+negl\left(n\right)$.

Construction of a quantum random access code. Let $\mathcal{A}$ be a $\mathsf{QPT}$ adversary with winning probability p and let $\ell =poly\left(n\right)$ be an upper bound on the number of queries made by ${\mathcal{A}}_2$. When constructing a $\mathsf{QRAC}$ for the $\mathsf{PRP}$ scheme, we shall also assume for simplicity that both the encoder and decoder share a random permutation (as part of the shared randomness). According to the well known coupon collector’s problem [31], it is sufficient for the encoder and decoder to share around $Nln\left(N\right)$ random strings on average, where N denotes the number of distinct random strings required to make up the desired permutation. We define a quantum random access code as follows (see also Figure 3).

Figure 3. Quantum random access code construction for the pseudorandom permutation ($\mathsf{PRP}$) scheme.

Encoding. 

Let $b_1,\cdots ,b_{2^n}\in \{0,1\}$ be the string to be encoded and let the shared randomness be given by a random string $\mathit{s}$ together with a random permutation $\mathit{y}={\mathit{y}}_1,\cdots ,{\mathit{y}}_{2^{2n}}\in {\{0,1\}}^{2n}$ and a set of random strings ${\mathit{r}}_1,\cdots ,{\mathit{r}}_{\ell }\in {\{0,1\}}^n$. Using $b_1,\cdots ,b_{2^n}$, we define a new random permutation by letting $\tilde{P}\left(x\right|\left|r\right):={\mathit{y}}_{x\oplus b_{r}s\left|\right|r}$ ($\tilde{P}$ remains a permutation since $\tilde{P}\left(x\right|\left|r\right)=\tilde{P}(x^{\prime }\left|\right|r^{\prime })\iff {\mathit{y}}_{x\oplus b_{r}s\left|\right|r}={\mathit{y}}_{x^{\prime }\oplus b_{r^{\prime }}s\left|\right|r^{\prime }}\iff (r=r^{\prime })\wedge (x=x^{\prime })$). Now run ${\mathcal{A}}_1$ by answering encryption and decryption queries using $\tilde{P}$ in place of $\pi$ (for decryption, use ${\tilde{P}}^{-1}$ and discard the last n bits). Let $m^{*}$ and $|\psi ⟩$ be the outputs of ${\mathcal{A}}_1$. Then, output $\varrho =\left(\right|\psi ⟩,m^{*},b_{r_1},\cdots ,b_{r_l})$.

Decoding. 

Let $j\in \{1,\cdots ,2^n\}$ be the index of the bit to be decoded; so given $\varrho$ as above, we will recover $b_j$ by making use of the shared randomness defined above. Upon receiving a query $j\in \{1,\cdots ,2^n\}$, run ${\mathcal{A}}_2$ with inputs $|\psi ⟩$ and $c^{*}={\mathit{y}}_{m^{*}\left|\right|j}$. Return the bit $b^{\prime }$ output by ${\mathcal{A}}_2$.

Average bias of the code. we claim that the average probability of decoding correctly, taken over all choices of $b_1,\cdots ,b_{2^n}\in \{0,1\}$ and $j\in \{1,\cdots ,2^n\}$, is exactly p, the success probability of $\mathcal{A}$. To see this, first note that from $\mathcal{A}$’s perspective, this is exactly Game 1: The function $\tilde{P}$ is a uniformly random permutation, and the queries are responded to just as in Game 1. Further, note that if $b_j=0$, the challenge amounts to $\tilde{P}(m^{*}\left|\right|j)={\mathit{y}}_{m^{*}\left|\right|j}$, so the correct guess for ${\mathcal{A}}_2$ would be 0, and if $b_j=1$, then ${\mathit{y}}_{x\left|\right|j}$ is an encryption of a uniformly random string $\mathit{x}=m^{*}\oplus \mathit{s}$, so the correct guess for ${\mathcal{A}}_2$ would be 1.

Therefore, the average bias of the code is $p-1/2$. We now proceed with a similar analysis as with the $\mathsf{PRF}$ scheme. Note that $\varrho$ has dimension at most $2^{poly\left(n\right)}$, since $|\psi ⟩$ must be a $poly\left(n\right)$-qubit state (${\mathcal{A}}_1$ only runs for $poly\left(n\right)$ time), and ℓ, the number of queries made by ${\mathcal{A}}_2$ must be $poly\left(n\right)$, since ${\mathcal{A}}_2$ only runs for $poly\left(n\right)$ time. As this code encodes $2^n$ bits into a state of dimension $2^{poly\left(n\right)}$, by Lemma 1, the bias is $O(2^{-n/2}poly\left(n\right))=negl\left(n\right)$, so $p\le \frac{1}{2}+negl\left(n\right)$. □

5. Quantum Algorithm for Linear Rounding Functions

In this section, we analyze the performance of the Bernstein–Vazirani algorithm [17] with a modified version of the oracle. While the original oracle computes the inner product modulo q, our version only gives partial information about it by rounding its value to one of $\lceil q/b\rceil$ blocks of size b, for some $b\in \{1,\cdots ,q-1\}$ (if b does not divide q, one of the blocks will have size $<b$).

Definition 6.

Let $n\ge 1$ be an integer and $q\ge 2$ be an integer modulus. Let $a\in {\mathbb{Z}}_q$, $b\in {\mathbb{Z}}_q\setminus \left\{0\right\}$ and $c:=q/b$. We partition ${\mathbb{Z}}_q$ into c disjoint blocks (most of them of size b) starting from a as follows (see Figure 4):

$$I_v(a,b):=\left\{\begin{array}{cc}\{a+vb,\cdots ,a+vb+b-1\}\hfill & \mathrm{if}v\in \{0,\cdots ,c-2\},\hfill \\ \{a+vb,\cdots ,a+q-1\}\hfill & \mathrm{if}v=c-1.\hfill \end{array}\right.$$

Figure 4. Dividing ${\mathbb{Z}}_q$ into $c=\lceil q/b\rceil$ blocks, starting from a. The first $c-1$ blocks, labelled $I_0(a,b),\cdots ,I_{c-2}(a,b)$, have size b and the last, labelled $I_{c-1}(a,b)$, contains the remaining $b-(cb-q)\le b$ elements of ${\mathbb{Z}}_q$.

Based on this partition, we define a family ${\mathsf{LRF}}_{\mathit{k},a,b}:{\mathbb{Z}}_q^n⟶{\mathbb{Z}}_c$ of keyed linear rounding functions, with key $\mathit{k}\in {\mathbb{Z}}_q^n$, as follows:

$${\mathsf{LRF}}_{\mathit{k},a,b}\left(\mathit{x}\right):=v\mathrm{if}\mathit{x},\mathit{k}\in I_v(a,b).$$

In words, we divide the cyclic group ${\mathbb{Z}}_q$ into c blocks, beginning at a: The first $c-1$ have size b, and the last one has size $b-(cb-q)\le b$ (see Figure 4). Then, the rounding function, $\mathsf{LRF}$, classifies $\mathit{x}$ by which of these blocks the value $\mathit{x},\mathit{k}$ falls into.

The following theorem shows that the modulo-q variant of the Bernstein–Vazirani algorithm (Algorithm 1) can recover $\mathit{k}$ with constant probability of success by using only a single quantum query to ${\mathsf{LRF}}_{\mathit{k},a,b}$.

Algorithm 1: Bernstein–Vazirani for linear rounding functions

Parameters: n, q, $b\in \{1,\cdots ,q-1\}$, $c=\lceil q/b\rceil$.

Input  :Quantum oracle $U_{\mathsf{LRF}}:|\mathit{x}⟩|z⟩\mapsto |\mathit{x}⟩|z+{\mathsf{LRF}}_{\mathit{k},a,b}\left(\mathit{x}\right)(modc)⟩$ where $\mathit{x}\in {\mathbb{Z}}_q^n$, $z\in {\mathbb{Z}}_c$ and ${\mathsf{LRF}}_{\mathit{k},a,b}$ is the rounded inner product function for some unknown $\mathit{k}\in {\mathbb{Z}}_q^n$ and $a\in {\mathbb{Z}}_q$. Output  :String $\tilde{\mathit{k}}\in {\mathbb{Z}}_q^n$ such that $\tilde{\mathit{k}}=\mathit{k}$ with high probability.

Prepare the uniform superposition and append $\frac{1}{\sqrt{c}}{\sum }_{z=0}^{c-1}{\omega }_c^z|z⟩$ where ${\omega }_c=e^{2\pi i/c}$: ${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}|\mathit{x}⟩\otimes \frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^z|z⟩.}$ Query the oracle $U_{\mathsf{LRF}}$ for ${\mathsf{LRF}}_{\mathit{k},a,b}$ to obtain ${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }_c^{-{\mathsf{LRF}}_{\mathit{k},a,b}\left(\mathit{x}\right)}|\mathit{x}⟩\otimes \frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^z|z⟩.}$ Discard the last register and apply the quantum Fourier transform ${\mathsf{QFT}}_{{\mathbb{Z}}_q}^{\otimes n}$. Measure in the computational basis and output the outcome $\tilde{\mathit{k}}$.

Theorem 9.

Let $U_{\mathsf{LRF}}$ be the quantum oracle for the linear rounding function ${\mathsf{LRF}}_{\mathit{k},a,b}$ with modulus $q\ge 2$, block size $b\in \{1,\cdots ,q-1\}$, and an unknown $a\in \{0,\cdots ,q-1\}$, and unknown key $\mathit{k}\in {\mathbb{Z}}_q^n$ such that $\mathit{k}$ has at least one entry that is a unit modulo q. By making one query to the oracle $U_{\mathsf{LRF}}$, Algorithm 1 recovers the key $\mathit{k}$ with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

Proof. 

For an integer m, let ${\omega }_m=e^{2\pi i/m}$. Several times in this proof, we will make use of the identity ${\sum }_{z=0}^{\ell -1}{\omega }_m^{rz}={\omega }_m^{r(\ell -1)/2}\left(\frac{sin(\ell r\pi /m)}{sin(r\pi /m)}\right)$.

Let $c=\lceil q/b\rceil$ and $d=cb-q$. Throughout this proof, let $\mathsf{LRF}\left(\mathit{x}\right)={\mathsf{LRF}}_{\mathit{k},a,b}\left(\mathit{x}\right)$. By querying with $\frac{1}{\sqrt{c}}{\sum }_{z=0}^{c-1}{\omega }_c^z|z⟩$ in the second register, we are using the standard phase kickback technique, which puts the output of the oracle directly into the phase:

$$\begin{array}{ccc}\hfill |\mathit{x}⟩\frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^z|z⟩& \stackrel{U_{\mathsf{LRF}}}{⟼}& |\mathit{x}⟩\frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^z|z+\mathsf{LRF}\left(\mathit{x}\right)(modc)⟩\hfill \\ & =& |\mathit{x}⟩\frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^{z-\mathsf{LRF}\left(\mathit{x}\right)}|z⟩={\omega }_c^{-\mathsf{LRF}\left(\mathit{x}\right)}|\mathit{x}⟩\frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^z|z⟩.\hfill \end{array}$$

Thus, after querying the uniform superposition over the cipherspace with $\frac{1}{\sqrt{c}}{\sum }_{z=0}^{c-1}{\omega }_c^z|z⟩$ in the second register, we arrive at the state

$$\frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }_c^{-\mathsf{LRF}\left(\mathit{x}\right)}|\mathit{x}⟩\frac{1}{\sqrt{c}}\sum _{z=0}^{c-1}{\omega }_c^z|z⟩.$$

Note that ${\omega }_c={\omega }_q^{q/c}$. If we discard the last register and apply ${\mathsf{QFT}}_{{\mathbb{Z}}_q}^{\otimes n}$, we get

$$|\psi ⟩=\frac{1}{q^n}\sum _{\mathit{y}\in {\mathbb{Z}}_q^n}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }_q^{-(q/c)\mathsf{LRF}\left(\mathit{x}\right)+\mathit{x},\mathit{y}}|\mathit{y}⟩.$$

We then perform a complete measurement in the computational basis. The probability of obtaining the key $\mathit{k}$ is given by

$${\left|⟨\mathit{k}|\psi ⟩\right|}^2=|*|{\frac{1}{q^n}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }_q^{-\frac{q}{c}\mathsf{LRF}\left(\mathit{x}\right)+\mathit{x},\mathit{k}}}^2=|*|{\frac{1}{q^n}\sum _{v=0}^{c-1}{\omega }_q^{-\frac{q}{c}v}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n:\mathsf{LRF}\left(\mathit{x}\right)=v}{\omega }_q^{\mathit{x},\mathit{k}}}^2.$$

(3)

We are assuming that $\mathit{k}$ has at least one entry that is a unit modulo q. For simplicity, suppose that entry is $k_n$. Let ${\mathit{k}}_{1:n-1}$ denote the first $n-1$ entries of $\mathit{k}$. Then, for any $v\in \{0,\cdots ,c-2\}$:

$$\begin{array}{ccc}\hfill \sum _{\mathit{x}\in {\mathbb{Z}}_q^n:\mathsf{LRF}\left(\mathit{x}\right)=v}{\omega }_q^{\mathit{x},\mathit{k}}& =& \sum _{\mathit{x}\in {\mathbb{Z}}_q^n:\mathit{x},\mathit{k}\in I_v(a,b)}{\omega }_q^{\mathit{x},\mathit{k}}\hfill \\ & =& \sum _{\mathit{y}\in {\mathbb{Z}}_q^{n-1}}{\omega }_q^{\mathit{y},{\mathit{k}}_{1:n-1}}\sum _{\begin{array}{c}{x}_n\in {\mathbb{Z}}_q:\\ x_n{k}_n\in I_v(a-\mathit{y},{\mathit{k}}_{1:n-1},b)\end{array}}{\omega }_q^{x_n{k}_n}.\hfill \end{array}$$

(4)

(recall the definition of $I_v(a,b)$ from Definition 6). Since $k_n$ is a unit, for each $z\in I_v(a-\mathit{y},{\mathit{k}}_{1:n-1})$, there is a unique $x_n\in {\mathbb{Z}}_q$ such that $x_n{k}_n=z$. Thus, for a fixed $\mathit{y}\in {\mathbb{Z}}_q^{n-1}$, letting $a^{\prime }=a-\mathit{y},{\mathit{k}}_{1:n-1}$, we have:

$$\sum _{\begin{array}{c}{x}_n\in {\mathbb{Z}}_q:x_n{k}_n\in I_v(a^{\prime },b)\end{array}}{\omega }_q^{x_n{k}_n}=\sum _{z=a^{\prime }+vb}^{a^{\prime }+(v+1)b-1}{\omega }_q^z={\omega }_q^{a^{\prime }+vb}\sum _{z=0}^{b-1}{\omega }_q^z,$$

which we can plug into (4) to get:

$$\sum _{\begin{array}{c}\mathit{x}\in {\mathbb{Z}}_q^n:\\ \mathsf{LRF}\left(\mathit{x}\right)=v\end{array}}{\omega }_q^{\mathit{x},\mathit{k}}=\sum _{\mathit{y}\in {\mathbb{Z}}_q^{n-1}}{\omega }_q^{\mathit{y},{\mathit{k}}_{1:n-1}}{\omega }_q^{a-\mathit{y},{\mathit{k}}_{1:n-1}+vb}\sum _{z=0}^{b-1}{\omega }_q^z=q^{n-1}{\omega }_q^{a+vb}\sum _{z=0}^{b-1}{\omega }_q^z.$$

(5)

We can perform a similar analysis for the remaining case when $v=c-1$. Recall that $d=cb-q\ge 0$ so $vb=cb-b=d+q-b=-(b-d)(modq)$ and we get

$$\sum _{\mathit{x}\in {\mathbb{Z}}_q^n:\mathsf{LRF}\left(\mathit{x}\right)=c-1}{\omega }_q^{\mathit{x},\mathit{k}}=q^{n-1}{\omega }_q^{a-(b-d)}\sum _{z=0}^{b-d-1}{\omega }_q^z.$$

(6)

This is slightly different from the $v<c-1$ case, shown in (5), but very similar. If we substitute $v=c-1$ in (5) and compare it to (6), we get

$$\begin{array}{cc}& \left|q^{n-1}{\omega }_q^{a-(b-d)}\sum _{z=0}^{b-d-1}{\omega }_q^z-q^{n-1}{\omega }_q^{a-(b-d)}\sum _{z=0}^{b-1}{\omega }_q^z\right|\hfill \\ =& q^{n-1}|\sum _{z=b-d}^{b-1}{\omega }_q^z|=q^{n-1}\left|\sum _{z=0}^{d-1}{\omega }_q^z\right|=q^{n-1}\left|\frac{sin(\pi d/q)}{sin(\pi /q)}\right|\hfill \\ \le & q^{n-1}\frac{\pi d/q}{2/q}=q^{n-1}\frac{\pi }{2}d.\hfill \end{array}$$

(7)

Above, we have used the facts $sinx\le x$, and $\left|sinx\right|\ge 2x/\pi$ when $\left|x\right|\le \pi /2$. Now, plugging (5) into (3) for all the $v<c-1$ terms, and using (7) and the triangle inequality for the $v=c-1$ term, we get:

$$\begin{array}{ccc}\hfill |⟨\mathit{k}|\psi ⟩|& \ge & \left|\frac{1}{q^n}\sum _{v=0}^{c-1}{\omega }_q^{-qv/c}·q^{n-1}{\omega }_q^{a+vb}\sum _{z=0}^{b-1}{\omega }_q^z\right|-|\frac{1}{q^n}{\omega }_q^{-q(c-1)/c}·q^{n-1}\frac{\pi }{2}d|\hfill \\ & =& \frac{1}{q}\left|\sum _{v=0}^{c-1}{\omega }_q^{v(b-q/c)}\frac{sin(b\pi /q)}{sin(\pi /q)}\right|-\frac{\pi }{2}\frac{d}{q}\hfill \\ & =& \frac{1}{q}\frac{sin(b\pi /q)}{sin(\pi /q)}\left|\sum _{v=0}^{c-1}{\omega }_q^{v(b-q/c)}\right|-\frac{\pi }{2}\frac{d}{q}.\hfill \end{array}$$

(8)

Since $b-q/c=d/c$, we can bound the sum as follows:

$$\begin{array}{ccc}\hfill \left|\sum _{v=0}^{c-1}{\omega }_q^{v(b-q/c)}\right|=\left|\sum _{v=0}^{c-1}{\omega }_q^{vd/c}\right|& \ge & |\sum _{v=0}^{c-1}cos\left(\frac{2\pi }{q}\frac{vd}{c}\right)\hfill \end{array}$$

$$\begin{array}{cc}\ge & \left|\sum _{v=0}^{c-1}cos\left(\frac{2\pi }{q}d\right)\right|=\left|ccos\left(\frac{2\pi d}{q}\right)\right|\hfill \end{array}$$

(9)

$$\begin{array}{cc}\ge & c|*|\sqrt{1-{(2\pi d/q)}^2}\ge c\sqrt{\frac{{\pi }^2}{4}-1}.\hfill \end{array}$$

(10)

To get the inequalities (9) and (10) and, we used $0\le v\le c$ and the assumption that $d/q\le 1/4$ (if $d/q>1/4$, the claim of the theorem is trivial), which implies that $\frac{2\pi v}{c}\frac{d}{q}\le \frac{\pi }{2}$. The last inequality follows from $\left|cosx\right|\ge \sqrt{1-x^2}$.

Next, we bound $\frac{sin(b\pi /q)}{sin(\pi /q)}$. When $b/q\le 1/2$, $b\pi /q\le \pi /2$, so we have $sin(b\pi /q)\ge 2b/q$. We also have $sin(\pi /q)\le \pi /q$. Thus,

$$\frac{sin(b\pi /q)}{sin(\pi /q)}\ge \frac{2b}{\pi }.$$

on the other hand, when $b/q>1/2$, we must have $c=2$ and $b=\frac{q+d}{2}$. In that case

$$sin(b\pi /q)=sin\frac{\pi (q+d)}{2q}=sin\left(\frac{\pi }{2}+\frac{\pi }{2}\frac{d}{q}\right)=cos\frac{\pi d}{2q}\ge \sqrt{1-{\left(\frac{\pi d}{2q}\right)}^2}.$$

Since $sin(\pi /q)\le \pi /q$ and $q\ge 2b$, and by the assumption that $d/q\le 1/4$, we get

$$\frac{sin(b\pi /q)}{sin(\pi /q)}\ge \frac{\sqrt{1-{\left(\frac{\pi d}{2q}\right)}^2}}{\pi /q}\ge \frac{2b}{\pi }\sqrt{1-\frac{{\pi }^2}{64}}.$$

Thus, in both cases,

$$\frac{sin(b\pi /q)}{sin(\pi /q)}\ge \frac{2b}{\pi }\sqrt{1-\frac{{\pi }^2}{64}}.$$

Plugging this and (10) into (8), and again and using the assumption $d/q\le 1/4$, we get:

$$\begin{array}{ccc}\hfill \left|⟨\mathit{k},\psi ⟩\right|& \ge & \frac{1}{q}\frac{sin(b\pi /q)}{sin(\pi /q)}\left|\sum _{v=0}^{c-1}{\omega }_q^{v(b-q/c)}\right|-\frac{\pi }{2}\frac{d}{q}\hfill \\ & \ge & \frac{2}{\pi }\frac{bc}{q}\sqrt{\left(1-\frac{{\pi }^2}{64}\right)·\left(\frac{{\pi }^2}{4}-1\right)}-\frac{\pi }{8}\hfill \end{array}$$

(11)

$$\begin{array}{cc}\ge & \frac{2}{\pi }\frac{bc}{q}-\frac{\pi }{8}=\frac{2}{\pi }\frac{q+d}{q}-\frac{\pi }{8}\hfill \\ \ge & \frac{2}{\pi }-\frac{\pi }{8},\hfill \end{array}$$

(12)

completing the proof. □

6. Key Recovery Against LWE

In this section, we consider various $\mathsf{LWE}$-based encryption schemes and show using Theorem 9 that the decryption key can be efficiently recovered using a single quantum decryption query (Section 6.1, Section 6.2 and Section 6.3). Then, in Section 6.4, we show that a single quantum encryption query can be used to recover the secret key in a symmetric-key version of $\mathsf{LWE}$, as long as the querying algorithm also has control over part of the randomness used in the encryption procedure.

6.1. Key Recovery via One Decryption Query in Symmetric-Key LWE

Recall the following standard construction of an $\mathsf{IND}-\mathsf{CPA}$ symmetric-key encryption scheme based on the $\mathsf{LWE}$ assumption [3].

Construction 3

($\mathsf{LWE}-\mathsf{SKE}$ [3]). Let $n\ge 1$ be an integer, let $q\ge 2$ be an integer modulus and let χ be a discrete and symmetric error distribution. Then, the symmetric-key encryption scheme $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ is defined as follows:

1. 

$\mathsf{KeyGen}$: output $\mathit{k}-1pt\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$;

2. 

${\mathsf{Enc}}_{\mathit{k}}$: to encrypt $b\in \{0,1\}$, sample $\mathit{a}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$, $e\stackrel{\chi }{\leftarrow }{\mathbb{Z}}_q$ and output $(\mathit{a},⟨\mathit{a},\mathit{k}⟩+b\lfloor \frac{q}{2}\rfloor +e)$;

3. 

${\mathsf{Dec}}_{\mathit{k}}$: to decrypt $(\mathit{a},c)$, output 0 if $|c-⟨\mathit{a},\mathit{k}⟩|\le \lfloor \frac{q}{4}\rfloor$, else output 1.

We refer to an encryption scheme as correct if $Pr[{\mathsf{Dec}}_{\mathit{k}}\left({\mathsf{Enc}}_{\mathit{k}}\left(b\right)\right)=b]=1-negl\left(n\right)$. To guarantee that the above $\mathsf{LWE}-\mathsf{SKE}$ scheme is correct, we need to restrict the support of the discrete error distribution $\chi$ by fixing the noise magnitude $\eta$ so that $\left|e\right|\le \lfloor \frac{q}{4}\rfloor$ for all $e\leftarrow \chi$.

As a corollary of Theorem 9, an adversary that is granted a single quantum decryption query can recover the key with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2$:

Corollary 1.

There is a quantum algorithm that makes one quantum query to $\mathsf{LWE}-\mathsf{SKE}.{\mathsf{Dec}}_{\mathit{k}}$ and recovers the entire key $\mathit{k}$ with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

Proof. 

Note that $\mathsf{LWE}-\mathsf{SKE}.{\mathsf{Dec}}_{\mathit{k}}$ coincides with a linear rounding function ${\mathsf{LRF}}_{{\mathit{k}}^{\prime },a,b}$ for a key ${\mathit{k}}^{\prime }=(-\mathit{k},1)\in {\mathbb{Z}}_q^{n+1}$, which has a unit in its last entry. We consider the following two cases: if q is not $3mod4$, set $b=\lceil q/2\rceil$, $a=-\lfloor q/4\rfloor$, hence we get ${\mathsf{Dec}}_{\mathit{k}}={\mathsf{LRF}}_{{\mathit{k}}^{\prime },a,b}$. If $q=3mod4$, set $b=\lceil q/2\rceil$, $a=\lceil q/4\rceil$, and then we have ${\mathsf{Dec}}_{\mathit{k}}=1-{\mathsf{LRF}}_{{\mathit{k}}^{\prime },a,b}$. Our claim follows in both cases. Thus, by Theorem 9, Algorithm 1 makes one quantum query to ${\mathsf{LRF}}_{{\mathit{k}}^{\prime },a,b}$, which can be implemented using one quantum query to $\mathsf{LWE}-\mathsf{SKE}.{\mathsf{Dec}}_{\mathit{k}}$, and recovers ${\mathit{k}}^{\prime }$, and thus $\mathit{k}$, with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2$. □

Note that the key in this scheme consists of $nlogq$ uniformly random bits, and that a classical decryption query yields at most a single bit of output. It follows that any algorithm making t classical queries to the decryption oracle recovers the entire key with probability at most $2^{t-nlogq}$. Using a linear number of classical queries, a straightforward key-recovery algorithm does in fact recover the key with constant success probability. One can simply query “unit vectors” of the form ${\mathit{e}}^{\left(i\right)}=(0,\dots ,0,1,0,\dots ,0)$ in order to recover one entry of the key at a time by averaging over errors.

6.2. Key Recovery via One Decryption Query in Public-Key LWE

The key-recovery attack described in Corollary 3 required nothing more than the fact that the decryption procedure of $\mathsf{LWE}-\mathsf{SKE}$ is just a linear rounding function whose key contains the decryption key. as a result, the attack is naturally applicable to other variants of $\mathsf{LWE}$. In this section, we consider two public-key variants. The first is the standard construction of $\mathsf{IND}-\mathsf{CPA}$ public-key encryption based on the $\mathsf{LWE}$ assumption, as introduced by Regev [3]. The second is the $\mathsf{IND}-\mathsf{CPA}$-secure public-key encryption scheme $\mathsf{FrodoPKE}$  [18], which is based on a construction of Lindner and Peikert [19]. In both cases, we demonstrate a dramatic speedup in key recovery using quantum decryption queries.

We emphasize once again that key recovery against these schemes was already possible classically using a linear number of decryption queries. Our results should thus not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., $\mathsf{IND}-\mathsf{CPA}$). The proper interpretation is that, if these cryptosystems are exposed to chosen-ciphertext attacks, then quantum attacks can be even more devastating than classical ones.

6.2.1. Regev’s Public-Key Scheme

The standard construction of an $\mathsf{IND}-\mathsf{CPA}$ public-key encryption scheme based on $\mathsf{LWE}$ is the following.

Construction 4

($\mathsf{LWE}-\mathsf{PKE}$  [3]). Let $m\ge n\ge 1$ be integers, let $q\ge 2$ be an integer modulus, and let χ be a discrete error distribution over ${\mathbb{Z}}_q$. The public-key scheme $\mathsf{LWE}-\mathsf{PKE}(n,q,\chi )=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ is defined by the following efficient algorithms:

1. 

$\mathsf{KeyGen}$: output a secret key $\mathit{sk}=\mathit{k}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^n$ and a public key $\mathit{pk}=(\mathit{A},\mathit{a}\mathit{k}+\mathit{e})\in {\mathbb{Z}}_q^{m\times (n+1)}$, where $\mathit{a}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{m\times n}$, $\mathit{e}\stackrel{\chi }{\leftarrow }{\mathbb{Z}}_q^m$, and all arithmetic is done modulo $q.$

2. 

$\mathsf{Enc}$: to encrypt $b\in \{0,1\}$, pick a random $\mathit{v}\in {\{0,1\}}^m$ with Hamming weight roughly $m/2$ and output $({\mathit{v}}^{\mathsf{T}}\mathit{A},{\mathit{v}}^{\mathsf{T}}(\mathit{A}\mathit{k}+\mathit{e})+b\lfloor \frac{q}{2}\rfloor )\in {\mathbb{Z}}_q^{n+1}$, where ${\mathit{v}}^{\mathsf{T}}$ denotes the transpose of $\mathit{v}$.

3. 

$\mathsf{Dec}$: to decrypt $(\mathit{a},c)$, output 0 if $|c-⟨\mathit{a},\mathit{sk}⟩|\le \lfloor \frac{q}{4}\rfloor$, else output 1.

Although the encryption is now done in a public-key manner, all that matters for our purposes is the decryption procedure, which is identical to the symmetric-key case, $\mathsf{LWE}-\mathsf{SKE}$. We thus have the following corollary, whose proof is identical to that of Corollary 3:

Corollary 2.

There is a quantum algorithm that makes one quantum query to $\mathsf{LWE}-\mathsf{PKE}.{\mathsf{Dec}}_{\mathit{sk}}$ and recovers the entire key $\mathit{sk}$ with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

6.2.2. Frodo Public-Key Scheme

Next, we consider the $\mathsf{IND}-\mathsf{CPA}$-secure public-key encryption scheme $\mathsf{FrodoPKE}$, which is based on a construction by Lindner and Peikert [19]. Compared to $\mathsf{LWE}-\mathsf{PKE}$, this scheme significantly reduces the key-size and achieves better security estimates than the initial proposal by Regev [3]. For a detailed discussion of $\mathsf{FrodoPKE}$, we refer to [18]. We present the entire scheme for completeness, but the important part for our purposes is the decryption procedure.

Construction 5

($\mathsf{FrodoPKE}$  [18]). Let $n,\overline{m},\overline{n}$ be integer parameters, let $q\ge 2$ be an integer power of 2, let B denote the number of bits used for encoding, and let χ be a discrete symmetric error distribution. The public-key encryption scheme $\mathsf{FrodoPKE}=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ is defined as follows:

1. 

$\mathsf{KeyGen}$: generate a matrix $\mathit{a}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{n\times n}$ and matrices $\mathit{S},\mathit{E}\stackrel{\chi }{\leftarrow }{\mathbb{Z}}_q^{n\times \overline{n}}$; compute $\mathit{B}=\mathit{a}\mathit{S}+\mathit{E}\in {\mathbb{Z}}_q^{n\times \overline{n}}$; output the key-pair $(\mathit{pk},\mathit{sk})$ with public key $\mathit{pk}=(\mathit{A},\mathit{B})$ and secret key $\mathit{sk}=\mathit{S}$.

2. 

$\mathsf{Enc}$: to encrypt $\mathit{m}\in {\{0,1\}}^{B·\overline{m}·\overline{n}}$ (encoded as a matrix $\mathit{M}\in {\mathbb{Z}}_q^{\overline{m}\times \overline{n}}$ with each entry having 0 s in all but the B most significant bits) with public key $\mathit{pk}$, sample error matrices ${\mathit{S}}^{\prime },{\mathit{E}}^{\prime }\stackrel{\chi }{\leftarrow }{\mathbb{Z}}_q^{\overline{m}\times n}$ and ${\mathit{E}}^{″}\stackrel{\chi }{\leftarrow }{\mathbb{Z}}_q^{\overline{m}\times \overline{n}}$; compute ${\mathit{C}}_1={\mathit{S}}^{\prime }\mathit{a}+{\mathit{E}}^{\prime }\in {\mathbb{Z}}_q^{\overline{m}\times n}$ and ${\mathit{C}}_2=\mathit{M}+{\mathit{S}}^{\prime }\mathit{B}+{\mathit{E}}^{″}\in {\mathbb{Z}}_q^{\overline{m}\times \overline{n}}$; output the ciphertext $({\mathit{C}}_1,{\mathit{C}}_2)$.

3. 

$\mathsf{Dec}$: to decrypt $({\mathit{C}}_1,{\mathit{C}}_2)\in {\mathbb{Z}}_q^{\overline{m}\times n}\times {\mathbb{Z}}_q^{\overline{m}\times \overline{n}}$ with secret-key $\mathit{sk}=\mathit{S}$, compute $\mathit{M}={\mathit{C}}_2-{\mathit{C}}_1\mathit{S}\in {\mathbb{Z}}_q^{\overline{m}\times \overline{n}}$. For each $(i,j)\in \left[\overline{m}\right]\times \left[\overline{n}\right]$, output the first B bits of $M_{i,j}$.

We now show how to recover $\overline{m}$ of the $\overline{n}$ columns of the secret key $\mathit{S}$ using a single quantum query to $\mathsf{FrodoPKE}.{\mathsf{Dec}}_{\mathit{S}}$. If $\overline{m}=\overline{n}$, as in sample parameters given in [18], then this algorithm recovers $\mathit{S}$ completely.

Theorem 10.

There exists a quantum algorithm that makes one quantum query to $\mathsf{FrodoPKE}.{\mathsf{Dec}}_{\mathit{S}}$ and recovers any choice of $\overline{m}$ of the $\overline{n}$ columns of $\mathit{S}$. For each of the chosen columns, if that column has at least one odd entry, then the algorithm succeeds in recovering the column with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

Proof. 

Let ${\mathit{s}}^1,\cdots ,{\mathit{s}}^{\overline{n}}$ be the columns of $\mathit{S}$. Let U denote the map:

$$U:|\mathit{c}⟩|z_1⟩\cdots |z_{\overline{n}}⟩\mapsto |\mathit{c}⟩|z_1+{\mathsf{LRF}}_{{\mathit{s}}^1,0,q/2^B}\left(\mathit{c}\right)⟩\cdots |z_{\overline{n}}+{\mathsf{LRF}}_{{\mathit{s}}^{\overline{n}},0,q/2^B}\left(\mathit{c}\right)⟩,$$

for any $\mathit{c}\in {\mathbb{Z}}_q^n$ and $z_1,\cdots ,z_{\overline{n}}\in {\mathbb{Z}}_{2^B}$. We first argue that one call to $\mathsf{FrodoKEM}.{\mathsf{Dec}}_{\mathit{S}}$ can be used to implement $U^{\otimes \overline{m}}$. Then we show that one call to U can be used to recover any choice of the columns of $\mathit{S}$ with probability ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$, as long as it has at least one entry that is odd.

Let $\mathsf{Trunc}:{\mathbb{Z}}_q\mapsto {\mathbb{Z}}_{2^B}$ denote the map that takes $x\in {\mathbb{Z}}_q$ to the integer represented by the B most significant bits of the binary representation of x. We have, for any ${\mathit{C}}_1\in {\mathbb{Z}}_q^{\overline{m}\times n}$, ${\mathit{C}}_2=0^{\overline{m}\times \overline{n}}$, and any ${\left\{z_{i,j}\right\}}_{i\in \left[\overline{m}\right],j\in \left[\overline{n}\right]}\subseteq {\mathbb{Z}}_{2^B}$:

$$U_{\mathsf{FrodoKEM}.\mathsf{Dec}}:|{\mathit{C}}_1⟩|0^{\overline{m}·\overline{n}}⟩\underset{i\in \left[\overline{m}\right],j\in \left[\overline{n}\right]}{⨂}|z_{i,j}⟩\mapsto |{\mathit{C}}_1⟩|0^{\overline{m}·\overline{n}}⟩\underset{i\in \left[\overline{m}\right],j\in \left[\overline{n}\right]}{⨂}|z_{i,j}+\mathsf{Trunc}({\left[{\mathit{C}}_1\mathit{S}\right]}_{i,j})⟩.$$

(13)

Above, ${\left[{\mathit{C}}_1\mathit{S}\right]}_{i,j}$ represents the $ij$-th entry of ${\mathit{C}}_1\mathit{S}$. If ${\mathit{c}}^1,\cdots ,{\mathit{c}}^{\overline{m}}$ denote the rows of ${\mathit{C}}_1$, then ${\left[{\mathit{C}}_1\mathit{S}\right]}_{i,j}={\mathit{c}}^i,{\mathit{s}}^j$. Thus, $\mathsf{Trunc}\left({\left[{\mathit{C}}_1\mathit{S}\right]}_{i,j}\right)={\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left({\mathit{c}}^i\right)$, the linear rounding function with block size $b=q/2^B$, which is an integer since q is a power of 2, and $a=0$. Note that we have also assumed that the plaintext is subtracted rather than added to the last register; this is purely for convenience of analysis, and can easily be accounted for by adjusting Algorithm 1 (e.g., by using inverse-$\mathsf{QFT}$ instead of $\mathsf{QFT}$.)

Discarding the second register (containing ${\mathit{C}}_2=0$), the right-hand side of (13) becomes

$$|{\mathit{c}}^1⟩\cdots |{\mathit{c}}^{\overline{m}}⟩\underset{i\in \left[\overline{m}\right],j\in \left[\overline{n}\right]}{⨂}|z_{i,j}+{\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left({\mathit{c}}^i\right)⟩.$$

(14)

Reordering the registers of (14), we get:

$$\underset{i\in \left[\overline{m}\right]}{⨂}\left(|{\mathit{c}}^i⟩\underset{j\in \left[\overline{n}\right]}{⨂}|z_{i,j}+{\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left({\mathit{c}}^i\right)⟩\right)=U^{\otimes \overline{m}}\left(\underset{i\in \left[\overline{m}\right]}{⨂}|{\mathit{c}}^i⟩\underset{j\in \left[\overline{n}\right]}{⨂}|z_{i,j}⟩\right).$$

Thus, we can implement $U^{\otimes \overline{m}}$ using a single call to $\mathsf{FrodoKEM}.{\mathsf{Dec}}_{\mathit{S}}$.

Next we show that for any particular $j\in \left[\overline{n}\right]$, a single call to U can be used to recover ${\mathit{s}}^j$, the j-th column of $\mathit{S}$, with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$, as long as at least one entry of ${\mathit{s}}^j$ is odd. To do this, we show how one use of U can be used to implement one phase query to ${\mathsf{LRF}}_{s^j,0,q/2^B}$. Then the result follows from the proof of Theorem 9.

Let $|\phi ⟩=2^{-B/2}{\sum }_{z=0}^{2^B-1}|z⟩$, and define

$$|{\varphi }_j{⟩=|\phi ⟩}^{\otimes (j-1)}\otimes \frac{1}{\sqrt{2^B}}\sum _{z=0}^{2^B-1}{\omega }_{2^B}^z|z⟩\otimes {|\phi ⟩}^{\otimes (\overline{n}-j)}.$$

Then for any $\mathit{c}\in {\mathbb{Z}}_q^n$, we have:

$$\frac{1}{\sqrt{2^B}}\sum _{z=0}^{2^B-1}|z+{\mathsf{LRF}}_{{\mathit{s}}^i,0,q/2^B}\left(\mathit{c}\right)⟩=\frac{1}{\sqrt{2^B}}\sum _{z=0}^{2^B-1}|z⟩=|\phi ⟩,$$

since addition here is modulo $2^B$, and

$$\frac{1}{\sqrt{2^B}}\sum _{z=0}^{2^B-1}{\omega }_{2^B}^z|z+{\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left(\mathit{c}\right)⟩=\frac{1}{\sqrt{2^B}}\sum _{z=0}^{2^B-1}{\omega }_{2^B}^{z-{\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left(\mathit{c}\right)}|z⟩.$$

Thus:

$$\begin{array}{ccc}\hfill U\left(\right|\mathit{c}⟩|{\varphi }_j⟩)& =& {|\mathit{c}⟩|\phi ⟩}^{\otimes (j-1)}\otimes \frac{1}{\sqrt{2^B}}\sum _{z=0}^{2^B-1}{\omega }_{2^B}^{z-{\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left(\mathit{c}\right)}|z⟩\otimes {|\phi ⟩}^{\otimes (\overline{n}-j)}\hfill \\ & =& {\omega }_{2^B}^{-{\mathsf{LRF}}_{{\mathit{s}}^j,0,q/2^B}\left(\mathit{c}\right)}|\mathit{c}⟩|{\varphi }_j⟩.\hfill \end{array}$$

Thus, by the proof of Theorem 9, if we apply U to $q^{-n/2}{\sum }_{\mathit{c}\in {\mathbb{Z}}_q^n}|\mathit{c}⟩|{\varphi }_j⟩$, Fourier transform the first register, and then measure, assuming ${\mathit{s}}^j$ has at least one entry that is a unit (since q is a power of 2, this is just an odd number) we will measure ${\mathit{s}}^j$ with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

Thus, if we want to recover columns $j_1,\cdots j_{\overline{m}}$ of $\mathit{S}$, we apply our procedure for $U^{\otimes \overline{m}}$, which costs one query to $\mathsf{FrodoKEM}.{\mathsf{Dec}}_{\mathit{S}}$, to the state

$$\sum _{\mathit{c}\in {\mathbb{Z}}_q^n}\frac{1}{\sqrt{q^n}}|\mathit{c}⟩|{\varphi }_{j_1}⟩\otimes \cdots \otimes \sum _{\mathit{c}\in {\mathbb{Z}}_q^n}\frac{1}{\sqrt{q^n}}|\mathit{c}⟩|{\varphi }_{j_{\overline{m}}}⟩,$$

Fourier transform each of the $\mathit{c}$ registers, and then measure. □

6.3. Key Recovery via One Decryption Query in Public-Key Ring-LWE

Next, we analyze key-recovery with a single quantum decryption query against Ring-$\mathsf{LWE}$ encryption. Unlike the plain $\mathsf{LWE}$-based encryption schemes we considered in the previous sections, Ring-$\mathsf{LWE}$ encryption uses noisy samples over a polynomial ring. In the following, we consider the basic, bit-by-bit Ring-$\mathsf{LWE}$ public-key encryption scheme introduced in [20,21]. It is based on the rings $\mathcal{R}=\mathbb{Z}\left[X\right]/X^n+1$ and ${\mathcal{R}}_q:=\mathcal{R}/q\mathcal{R}={\mathbb{Z}}_q\left[X\right]/X^n+1$ for some power-of-two integer n and $poly\left(n\right)$-bounded prime modulus q. The details of the error distribution $\chi$ below will not be relevant to our results.

In order to generate samples, we assume a symmetric error distribution $\chi$ that samples “small” error polynomials from $\mathcal{R}$. For example, a typical choice (under a particular representation for ${\mathcal{R}}_q$) is to use an n-dimensional Gaussian, more specifically the product of n centered one-dimensional Gaussian distributions.

Let us first recall the basic public-key encryption scheme based on Ring-$\mathsf{LWE}$. We restrict our analysis to single-bit encryption only.

Construction 6

(Ring-$\mathsf{LWE}$-$\mathsf{PKE}$  [20,21]). Let $n\ge 1$ be an integer, let $q\ge 2$ be an integer modulus, and let χ be an error distribution over $\mathcal{R}$. The public-key encryption scheme $\mathsf{Ring}-\mathsf{LWE}$-$\mathsf{PKE}$ $=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ is defined as follows:

1. 

$\mathsf{KeyGen}$: sample $a\stackrel{\$}{\leftarrow }{\mathcal{R}}_q$ and $e,s\stackrel{\chi }{\leftarrow }\mathcal{R}$; output $sk=s$ and $pk=(a,c=a·s+e(modq))\in {\mathcal{R}}_q^2$.

2. 

$\mathsf{Enc}$: to encrypt $b\in \{0,1\}$, sample $r,e_1,e_2\stackrel{\chi }{\leftarrow }\mathcal{R}$ and output a ciphertext pair $(u,v)\in {\mathcal{R}}_q^2$, where $u=a·r+e_1(modq)$ and $v=c·r+e_2+b\lfloor q/2\rfloor (modq)$.

3. 

$\mathsf{Dec}$: to decrypt $(u,v)$, compute $v-u·s=(r·e-s·e_1+e_2)+b\lfloor q/2\rfloor (modq)\in {\mathcal{R}}_q$; output 0 if the constant term of the polynomial is closer to 0 than $\lfloor q/2\rfloor$, else output 1.

We note that our choice of placing single-bit encryption in the constant term of the polynomial is somewhat arbitrary. Indeed, it is straightforward to extend our results to encryption with respect to other monomials. To speed up multiplication of large polynomials, various embeddings are adopted in practice that represent elements in ${\mathcal{R}}_q$ as vectors in ${\mathbb{Z}}_q^n$ [20]. For example, one can adopt the number-theoretic transform (NTT) to reduce polynomial multiplication to the much faster component-wise multiplication, such as in the post-quantum proposal New Hope [32]. We emphasize that our results are independent of the actual embedding used in practice, as long as the representation is an isomorphism between ${\mathcal{R}}_q$ and ${\mathbb{Z}}_q^n$. The same is true for the choice of ring $\mathcal{R}$ under a cyclotomic polynomial, and ultimately results in only slightly different classical post-processing. We show the following corollary to Theorem 9.

Corollary 3.

There is a quantum algorithm that makes one quantum query to $\mathsf{Ring}-\mathsf{LWE}$-$\mathsf{PKE}.{\mathsf{Dec}}_s$ and recovers the entire key s with probability at least ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2\approx 0.059$.

Proof. 

Let us first analyze the decryption function. We let ${\left(p\right)}_0$ denote the constant term of a polynomial $p\in {\mathcal{R}}_q$. Then, for any two polynomials $u={\sum }_{j=0}^{n-1}{u}_j{X}^j$ and $s={\sum }_{j=0}^{n-1}{s}_j{X}^j\in {\mathcal{R}}_q$, we can identify the constant term of $u·s$ as

$$\begin{array}{cc}\hfill {(u·s)}_0& =u_0{s}_0+\sum _{j=1}^{n-1}{u}_j{s}_{n-j}{X}^j{X}^{n-j}\hfill \\ \hfill & \equiv u_0{s}_0-u_1{s}_{n-1}-u_2{s}_{n-2}-\cdots -u_{n-1}{s}_1(modq),\hfill \end{array}$$

(15)

since $X^n\equiv -1$ in ${\mathcal{R}}_q$. We show that the outcome of $\mathsf{Ring}-\mathsf{LWE}$-$\mathsf{PKE}.{\mathsf{Dec}}_s(u,v)$ coincides with a binary linear rounding function over ${\mathbb{Z}}_q^n$. Let $\mathit{u},\mathit{s}\in {\mathbb{Z}}_q^n$ denote the coefficient vectors of $u,s\in {\mathcal{R}}_q$ respectively, and define a constant polynomial $v\equiv v_0\in {\mathcal{R}}_q$ and vector ${\mathit{u}}^{\prime }:=(\mathit{u},v_0)\in {\mathbb{Z}}_q^{n+1}$, for some $v_0\in {\mathbb{Z}}_q$. We find that $\mathsf{Ring}-\mathsf{LWE}$-$\mathsf{PKE}.{\mathsf{Dec}}_s(u,v_0)$ rounds the inner product $⟨{\mathit{u}}^{\prime },{\mathit{s}}^{\prime }⟩$, where

$${\mathit{s}}^{\prime }=(-s_0(modq),s_{n-1},\cdots ,s_1,1).$$

Thus, we can run the Bernstein–Vazirani algorithm for binary linear rounding functions on a uniform superposition over ${\mathbb{Z}}_q^n$ and recover $\mathit{s}$ from ${\mathit{s}}^{\prime }$ with simple classical post-processing. Note also that any choice of isomorphism between ${\mathcal{R}}_q$ and ${\mathbb{Z}}_q^n$ necessarily preserves the inner product in Equation (15), and hence any measurement outcome can be mapped back to the standard basis prior to post-processing—independently of the actual ring representation used in practice.

By Theorem 9, Algorithm 1 makes one quantum query to ${\mathsf{LRF}}_{{\mathit{s}}^{\prime },q}$, which can be implemented using one quantum query to $\mathsf{Ring}-\mathsf{LWE}$-$\mathsf{PKE}.{\mathsf{Dec}}_s$, and recovers the string ${\mathit{s}}^{\prime }$, and thus also $\mathit{s}$, with probability ${\left(\frac{2}{\pi }-\frac{\pi }{8}\right)}^2$. □

6.4. Key Recovery via a Randomness-Access Query

While a linear number of classical decryption queries can be used to break $\mathsf{LWE}$-based schemes, we have shown that only a single quantum decryption query is required. A natural question to ask is whether a similar statement can be made for encryption queries. Classically, it is known that the symmetric key version of $\mathsf{LWE}$ described in Construction 3, $\mathsf{LWE}-\mathsf{SKE}$, can be broken using a linear number of classical encryption queries when the adversary is also allowed to choose the randomness used by the query: The adversary simply sets the value to $e=0$ each time, with $\mathit{a}$ taking n linearly independent values.

In case the adversary is allowed to make quantum encryption queries with randomness access, a single quantum query suffice to recover the entire key with non-negligible probability, even when the adversary only has control over a part of the randomness used by the encryption: The randomness used to prepare vectors $\mathit{a}$, but not the randomness used to select the error e. Specifically, the adversary is given quantum oracle access to the randomness-access encryption oracle$U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$ such that, on input $(b;\mathit{a})$, the adversary receives

$${\mathsf{Enc}}_{\mathit{k}}^{\mathsf{RA}}(b;\mathit{a})=(\mathit{a},⟨\mathit{a},\mathit{k}⟩+b⌊q/2⌋+e),$$

where $e\leftarrow \chi$. We extend this to a quantum randomness-access oracle by answering each element of the superposition using i.i.d. errors $e_a\leftarrow \chi$:

$$U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}:|m⟩|a⟩|c⟩\mapsto |m⟩|a⟩|c\oplus {\mathsf{Enc}}_{\mathit{k}}^{\mathsf{RA}}(m;a)⟩.$$

This model is identical to the noisy learning model considered by Grilo et al. [22] which was inspired by the original noise model of Bshouty and Jackson [33]. First, it is not hard to see that algorithms making classical queries to the above oracle can extract at most $logq$ bits of key from each query (specifically, from the last component of the ciphertext), and thus still require a linear number of queries to recover the complete key with non-negligible probability.

On the other hand, by a slight generalization of the proof of Theorem IV$.1$ from Ref. [22], we can recover the entire key with inverse polynomial success probability using a single query to $U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$, as long as the noise magnitute $\eta$ is polynomial in n. While Grilo et al. show how to apply Bernstein–Vazirani to solve a certain computational learning version of $\mathsf{LWE}$ with quantum samples, we adopt a wider set of cryptographic security parameters and show that this algorithm leads to a dramatic quantum speed-up in an actual attack. Specifically, our improved analysis shows that the modulus need not be prime. In particular, in the case of only a single query to a quantum randomness-access encryption oracle, the entire key can be recovered with inverse polynomial success probability, as long as the noise magnitude $\eta$ is polynomial in n. This is certainly the case for the vast majority of schemes in practice. Recall that $\phi$ denotes the Euler totient function. Specifically, for $m\in \mathbb{N}$, $\phi \left(m\right)$ counts the number of integers up to m that are relative prime to m. If m is prime, then $\phi \left(m\right)=m-1$. Our algorithm to recover the key is as follows.

Theorem 11.

Consider $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$ with an arbitrary integer modulus $2\le q\le exp\left(n\right)$ and a symmetric error distribution χ of noise magnitude η. Then, Algorithm 2 makes one query to a randomness-accessible quantum encryption oracle for $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$ and recovers the entire key with probability at least $\phi \left(q\right)/\left(24\eta q\right)-o\left(1\right)$.

Proof. 

We follow a similar analysis as in Theorem IV$.1$ in [22]. Let $\mathit{k}$ denote the key as sampled by $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$. After querying $U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$ upon a state corresponding to an encryption of a message $b_0=0$, together with a choice of uniform superposition over the randomness register,

$${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}|b_0⟩|x_1⟩\cdots |x_n⟩|0⟩,}$$

Algorithm 2: Bernstein–Vazirani for randomness-accessible $\mathsf{LWE}$ encryption

input: Quantum randomness-access oracle $U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$ for $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$

output: $\mathit{k}\in {\mathbb{Z}}_q^n$ with probability $\approx \phi \left(q\right)/\left(24\eta q\right)$

Prepare a state corresponding to the message $b_0=0$ and uniform randomness: $${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}|b_0⟩|x_1⟩\cdots |x_n⟩|0⟩.}$$ Query the randomness-accessible oracle $U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$, resulting in $${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}|b_0⟩|x_1⟩\cdots |x_n⟩|⟨\mathit{x},\mathit{k}⟩+b_0⌊q/2⌋+e_{\mathit{x}}\left(\mathrm{mod}q\right)⟩.}$$ Discard the first register and apply the quantum Fourier transform ${\mathsf{QFT}}_{{\mathbb{Z}}_q}^{\otimes n+1}$. Measure in the computational basis, yielding an outcome $|y_1⟩\cdots |y_n⟩|z⟩$. If$\gcd (z,q)=1$, output $\tilde{\mathit{k}}=-(y_1,\cdots ,y_n)/z(modq)$, else output ⊥.

Algorithm 2 receives a sample $|\psi ⟩$ where, for unknown independent errors $e_{\mathit{x}}\leftarrow \chi$ of noise magnitude $|e_{\mathit{x}}|\le \eta$,

$${\displaystyle |\psi ⟩=\frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}|b_0⟩|x_1⟩\cdots |x_n⟩\left|⟨\mathit{x},\mathit{k}⟩\right|+e_{\mathit{x}}\left(\mathrm{mod}q\right)⟩.}$$

Thus, when discarding the first register and applying the quantum Fourier transform, we find

$${\mathsf{QFT}}_{{\mathbb{Z}}_q}^{\otimes n+1}|\psi ⟩=\frac{1}{q^{n+1/2}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}\sum _{\mathit{y}\in {\mathbb{Z}}_q^n}\sum _{z\in {\mathbb{Z}}_q}{\omega }^{\mathit{x},\mathit{y}+z\mathit{k}+e_{\mathit{x}}z}|y_1⟩\cdots |y_n⟩|z⟩.$$

When measuring in the standard basis, the probability of obtaining outcome $y_1,\cdots ,y_n,z$ is

$$\frac{1}{q^{2n+1}}{\left|\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }^{\mathit{x},\mathit{y}+z\mathit{k}+e_{\mathit{x}}z}\right|}^2.$$

In particular, the probability that $\mathit{y}=-z\mathit{k}(modq)$ and also that z is prime relative to q (i.e., $gcd(z,q)=1$ and thus $z\in {\mathbb{Z}}_q^{\times }$) is given by

$$\begin{array}{cc}\hfill \frac{1}{q^{2n+1}}\sum _{z\in {\mathbb{Z}}_q^{\times }}{\left|\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }^{e_{\mathit{x}}z}\right|}^2& =\frac{1}{q^{2n+1}}\sum _{z\in {\mathbb{Z}}_q^{\times }}{\left[\right(\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}\mathrm{Re}\left({\omega }^{e_{\mathit{x}}z}\right))}^2+{\left(\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}\mathrm{Im}\left({\omega }^{e_{\mathit{x}}z}\right)\right)}^2]\hfill \\ \hfill & \ge \frac{1}{q^{2n+1}}\sum _{z\in {\mathbb{Z}}_q^{\times }}{\left(\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}cos\left(\frac{2\pi e_{\mathit{x}}z}{q}\right)\right)}^2\ge \frac{1}{q^{2n+1}}\sum _{\begin{array}{c}z\in {\mathbb{Z}}_q^{\times }\\ 1\le z\le \frac{q}{6\eta }\end{array}}{\left(\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}\frac{1}{2}\right)}^2\hfill \\ \hfill & \ge \frac{1}{4q}\sum _{\begin{array}{c}z\in {\mathbb{Z}}_q^{\times }\\ 1\le z\le \frac{q}{6\eta }\end{array}}1\ge \frac{\phi \left(q\right)}{24\eta q}-O(1/q).\hfill \end{array}$$

in the last inequality, we used the fact that $⌊\frac{q}{6\eta }⌋=\frac{q}{6\eta }+O\left(1\right)$, as well as a standard identity on the Euler totient function which we state in Lemma A2: Let $n,m>1$ be integers and let $\omega$ be the prime omega function. Then, the following identity holds:

$$\sum _{\genfrac{}{}{0pt}{}{1\le j\le n}{gcd(j,m)=1}}1=n\frac{\phi \left(m\right)}{m}+O\left(2^{\omega \left(m\right)}\right).$$

Therefore, Algorithm 2 outputs the correct key $\tilde{\mathit{k}}$ with probability at least $\phi \left(q\right)/\left(24\eta q\right)-o\left(1\right)$. Note that, because $\phi \left(q\right)=\mathsf{\Omega }\left(q/loglog\left(q\right)\right)$, the success probability is inverse polynomial so long as the noise magnitude $\eta$ is polynomial in n. □

For completeness, we also consider a slightly different and yet plausible error model for quantum randomness-access queries. Unlike the previous model of i.i.d. errors, we now consider a single error $e\leftarrow \chi$ being sampled for every branch of the superposition of a single query. Our algorithm will crucially exploit the property that the error does not depend on any of the particular vectors in the respective branches of the wave function.

Surprisingly, we find that the error model of choice does matter, and greatly impacts the analysis of the algorithm. In fact, as we show next, one can now recover $\mathit{k}$ with certainty using only a single query to the randomness access encryption oracle. We adapt Algorithm 2 as follows:

We are left with the following Corollary.

Corollary 4.

Consider $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$ with an arbitrary integer modulus $2\le q\le exp\left(n\right)$ and a symmetric error distribution χ of noise magnitude η. Then, there exists a quantum algorithm that makes one query to a single-error randomness-accessible quantum encryption oracle for $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$ and recovers the entire key with probability 1.

Proof. 

The result follows straight from the definition of the quantum Fourier transform. After applying the transformation in step 3 of Algorithm 3, the register contains the entries $(k_1,\cdots ,k_n)$. □

Algorithm 3: Bernstein–Vazirani for (single-error) randomness-accessible $\mathsf{LWE}$ encryption

input  :Quantum randomness-access oracle $U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$ for $\mathsf{LWE}-\mathsf{SKE}(n,q,\chi )$ in the single-error model. output  :$\mathit{k}\in {\mathbb{Z}}_q^n$ with probability 1

Prepare a particular state corresponding to the message $b_0=0$ as follows: $${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}|b_0⟩|x_1⟩\cdots |x_n⟩\otimes \frac{1}{\sqrt{q}}\sum _{z=0}^{q-1}{\omega }_q^z|z⟩.}$$ Query the randomness-accessible oracle $U_{{\mathsf{Enc}}_{\mathit{k}}}^{\mathsf{RA}}$ with single error $e\leftarrow \chi$: $${\displaystyle \frac{1}{\sqrt{q^n}}\sum _{\mathit{x}\in {\mathbb{Z}}_q^n}{\omega }_q^{-\mathit{x},\mathit{k}}|b_0⟩|x_1⟩\cdots |x_n⟩\otimes \frac{1}{\sqrt{q}}\sum _{z=0}^{q-1}{\omega }_q^z|z+e⟩.}$$ Discard the first and last register, and apply the quantum Fourier transform ${\mathsf{QFT}}_{{\mathbb{Z}}_q}^{\otimes n}$. Measure in the computational basis to obtain $\mathit{k}\in {\mathbb{Z}}_q^n$.

Appendix A.1. Bound for Quantum Random Access Codes

Recall that a quantum random access code ($\mathsf{QRAC}$) is the following scenario involving two parties, Alice and Bob [26]:

• Alice receives an N-bit string x and encodes it as a quantum state ${\varrho }_x$.
• Bob receives ${\varrho }_x$ from Alice and is asked to recover the i-th bit of x, for some $i\in \{1,\cdots ,N\}$, by measuring the state.
• They win if Bob’s output agrees with $x_i$ and lose otherwise.

A variation of this scenario allows Alice and Bob to use shared randomness in their encoding and decoding operations [27] (note that shared randomness per se does not allow them to communicate). If we denote the shared random variable by $\lambda$, Alice’s can now produce ${\varrho }_x^{\lambda }$

We are interested in bounding the average bias $ϵ=p_{\mathrm{win}}-1/2$ of a quantum random access code with shared randomness, where $p_{\mathrm{win}}$ is the winning probability averaged over $x\stackrel{\$}{\leftarrow }{\{0,1\}}^N$ and $i\stackrel{\$}{\leftarrow }\{1,\cdots ,N\}$.

Lemma A1.

The average bias of a quantum random access code with shared randomness that encodes N bits into a d-dimensional quantum state is $O\left(\sqrt{N^{-1}logd}\right)$. In particular, if $N=2^n$ and $d=2^{poly\left(n\right)}$ the bias is $O(2^{-n/2}poly\left(n\right))$.

Proof. 

A quantum random access code with shared randomness that encodes N bits into a d-dimensional quantum state is specified by the following:

• a shared random variable $\lambda$,
• for each $x\in {\{0,1\}}^N$, a d-dimensional quantum state ${\varrho }_x^{\lambda }$ encoding x,
• for each $i\in \{0,\cdots ,N\}$, an observable $M_i^{\lambda }$ for recovering the i-th bit.

Formally, ${\varrho }_x^{\lambda }$ and $M_i^{\lambda }$ are $d\times d$ Hermitian matrices such that ${\varrho }_x^{\lambda }\ge 0$, $\mathrm{Tr}{\varrho }_x^{\lambda }=1$, and $||M_i^{\lambda }||\le 1$ where $||$ denotes the operator norm of $M_i^{\lambda }$. Note that both ${\varrho }_x^{\lambda }$ and $M_i^{\lambda }$ depend on the shared random variable $\lambda$, meaning that Alice and Bob can coordinate their strategies.

The bias of correctly guessing $x_i$, for a given x and i, is ${(-1)}^{x_i}\mathrm{Tr}\left({\varrho }_x^{\lambda }{M}_i^{\lambda }\right)/2.$ Moreover, if the average bias of the code is $ϵ$, then ${\mathbb{E}}_{\lambda }{\mathbb{E}}_{x,i}{(-1)}^{x_i}\mathrm{Tr}\left({\varrho }_x^{\lambda }{M}_i^{\lambda }\right)\ge 2ϵ.$ We can rearrange this expression and upper bound each term using its operator norm, and then apply the noncommutative Khintchine inequality [34]:

$$\begin{array}{cc}\hfill {\mathbb{E}}_{\lambda }{\mathbb{E}}_x\frac{1}{N}\mathrm{Tr}\left({\varrho }_x^{\lambda }\sum _{i=1}^N{(-1)}^{x_i}{M}_i^{\lambda }\right)& \le {\mathbb{E}}_{\lambda }{\mathbb{E}}_x\frac{1}{N}||\sum _{i=1}^N{(-1)}^{x_i}{M}_i^{\lambda }||\hfill \\ \hfill & \le {\mathbb{E}}_{\lambda }\frac{1}{N}c\sqrt{Nlogd}\hfill \\ \hfill & =c\sqrt{\frac{logd}{N}},\hfill \end{array}$$

for some constant c. In other words, $ϵ\le \frac{c}{2}\sqrt{\frac{logd}{N}}.$ in the particular case we are interested in, $d=2^{poly\left(n\right)}$ and $N=2^n$ so $ϵ\le \frac{c}{2}\sqrt{\frac{poly\left(n\right)}{2^n}},$ completing the proof. □

Appendix A.2. Equivalence of QCCA Models

Recall that the $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ notion is based on the security game $\mathsf{IndGame}$ defined in Definition 3. In the alternative security game ${\mathsf{IndGame}}^{\prime }$ (see Definition 4), the adversary provides only one plaintext m and must decide if the challenge is an encryption of m or an encryption of a random string. In this section, we prove the following:

Proposition A1.

An encryption scheme Π is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ if and only if for every $\mathsf{QPT}$ $\mathcal{A}$,

$$Pr[⊣wins{\mathsf{IndGame}}^{\prime }(\mathsf{\Pi },\mathcal{A},n)]\le 1/2+negl\left(n\right).$$

Proof. 

Fix a scheme $\mathsf{\Pi }$. For one direction, suppose $\mathsf{\Pi }$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ and let $\mathcal{A}$ be an adversary against ${\mathsf{IndGame}}^{\prime }$. Define an adversary ${\mathcal{A}}_0$ against $\mathsf{IndGame}$ as follows: (i.) run $\mathcal{A}$ until it outputs a challenge plaintext m, (ii.) sample random r and output $(m,r)$, (iii.) run the rest of $\mathcal{A}$ and output what it outputs. The output distribution of ${\mathsf{IndGame}}^{\prime }(\mathsf{\Pi },\mathcal{A},n)$ is then identical to $\mathsf{IndGame}(\mathsf{\Pi },{\mathcal{A}}_0,n)$, which in turn must be negligibly close to uniform by $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$ security of $\mathsf{\Pi }$.

For the other direction, suppose no adversary can win ${\mathsf{IndGame}}^{\prime }$ with probability better than $1/2$, and let $\mathcal{B}$ be an adversary against $\mathsf{IndGame}$. Now, define two adversaries ${\mathcal{B}}_0$ and ${\mathcal{B}}_1$ against ${\mathsf{IndGame}}^{\prime }$ as follows. The adversary ${\mathcal{B}}_c$ does: (i.) run $\mathcal{B}$ until it outputs a challenge $(m_0,m_1)$, (ii.) output $m_c$, (iii.) run the rest of $\mathcal{B}$ and output what it outputs. Note that the pre-challenge algorithm is identical for $\mathcal{B}$, ${\mathcal{B}}_0$, and ${\mathcal{B}}_1$; define random variables $M_0$, $M_1$ and R given by the two challenges and a uniformly random plaintext, respectively. The post-challenge algorithm is also identical for all three adversaries; call it $\mathcal{C}$. The advantage of $\mathcal{B}$ over random guessing is then bounded by

$$\begin{array}{cc}\hfill \parallel \mathcal{C}& \left({\mathsf{Enc}}_k\left(M_0\right)\right)-\mathcal{C}\left({\mathsf{Enc}}_k\left(M_1\right)\right){\parallel }_1\hfill \\ & =\parallel \mathcal{C}\left({\mathsf{Enc}}_k\left(M_0\right)\right)-\mathcal{C}\left({\mathsf{Enc}}_k\left(M_1\right)\right)-\mathcal{C}\left({\mathsf{Enc}}_k\left(R\right)\right)+\mathcal{C}\left({\mathsf{Enc}}_k\left(R\right)\right){\parallel }_1\hfill \\ & \le \parallel \mathcal{C}\left({\mathsf{Enc}}_k\left(M_0\right)\right)-\mathcal{C}\left({\mathsf{Enc}}_k\left(R\right)\right){\parallel }_1+{\parallel \mathcal{C}\left({\mathsf{Enc}}_k\left(M_1\right)\right)-\mathcal{C}\left({\mathsf{Enc}}_k\left(R\right)\right)\parallel }_1\hfill \\ & \le negl\left(n\right),\hfill \end{array}$$

where the last inequality follows from our initial assumption, applied to both ${\mathcal{B}}_0$ and ${\mathcal{B}}_1$. It follows that $\mathsf{\Pi }$ is $\mathsf{IND}-\mathsf{QCCA}\mathsf{1}$. □

Lemma A2.

Let $n,m>1$ be integers. Then, the following holds where $\omega \left(m\right)$ is the prime omega function:

$$\sum _{\genfrac{}{}{0pt}{}{1\le j\le n}{gcd(j,m)=1}}1=n\frac{\phi \left(m\right)}{m}+O\left(2^{\omega \left(m\right)}\right).$$

For completeness, we include a short and simple proof of the above statement.

Proof ([35])

$$\sum _{\begin{array}{c}j=1\\ gcd(j,m)=1\end{array}}^{n}1=\sum _{j=1}^n\sum _{d\mid gcd(j,m)}\mu \left(d\right)=\sum _{d\mid m}\mu \left(d\right)\sum _{\begin{array}{c}j=1\\ j\equiv 0(modd)\end{array}}^{n}1$$

Here, $\mu$ denotes the Möbius function. The sum over $j=1,\cdots ,n$ is equal to $⌊\frac{n}{d}⌋=\frac{n}{d}+O\left(1\right)$. Therefore,

$$n\sum _{d\mid m}\frac{\mu \left(d\right)}{d}+O\left(\sum _{d\mid m}\left|\mu \left(d\right)\right|\right)=\frac{n\phi \left(m\right)}{m}+O\left(2^{\omega \left(m\right)}\right).$$

Putting everything together, we arrive at the equation,

$$\sum _{\genfrac{}{}{0pt}{}{1\le j\le n}{gcd(j,m)=1}}1=n\frac{\phi \left(m\right)}{m}+O\left(2^{\omega \left(m\right)}\right),$$

thereby completing the proof. □