On Quantum Chosen-Ciphertext Attacks and Learning with Errors

Large-scale quantum computing is a significant threat to classical public-key cryptography. In strong"quantum access"security models, numerous symmetric-key cryptosystems are also vulnerable. We consider classical encryption in a model which grants the adversary quantum oracle access to encryption and decryption, but where the latter is restricted to non-adaptive (i.e., pre-challenge) queries only. We define this model formally using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it QCCA1 in analogy to the classical CCA1 security model. Using a bound on quantum random-access codes, we show that the standard PRF- and PRP-based encryption schemes are QCCA1-secure when instantiated with quantum-secure primitives. We then revisit standard IND-CPA-secure Learning with Errors (LWE) encryption and show that leaking just one quantum decryption query (and no other queries or leakage of any kind) allows the adversary to recover the full secret key with constant success probability. In the classical setting, by contrast, recovering the key uses a linear number of decryption queries, and this is optimal. The algorithm at the core of our attack is a (large-modulus version of) the well-known Bernstein-Vazirani algorithm. We emphasize that our results should *not* be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones.


Background
Large-scale quantum computers pose a dramatic threat to classical cryptography. The ability of such devices to run Shor's efficient quantum factoring algorithm (and its variants) would lead to devastation of the currently deployed public-key cryptography infrastructure [CJL+16;Sho94]. This threat has led to significant work on so-called "post-quantum" alternatives, where a prominent category is occupied by cryptosystems based on the Learning with Errors (LWE) problem of solving noisy linear equations over Z q [Reg05] and its variants [CJL+16;NIS17].
In addition to motivating significant work on post-quantum cryptosystems, the threat of quantum computers has also spurred general research on secure classical cryptography in the presence of quantum adversaries. One area in particular explores strong security models where a quantum adversary gains precise quantum control over portions of a classical cryptosystem. In such models, a number of basic symmetric-key primitives can be broken by simple quantum attacks based on Simon's algorithm [KM10;KM12;KLL+16;SS17;Sim97]. It is unclear if the assumption behind these models is plausible for typical physical implementations of symmetric-key cryptography. However, attacks which involve quantumly querying a classical function are always available in scenarios where the adversary has access to a circuit for the relevant function. This is the case for hashing, public-key encryption, and circuit obfuscation. Moreover, understanding this model is crucial for gauging the degree to which any physical device involved in cryptography must be resistant to reverse engineering or forced quantum behavior (consider, e.g., the so-called "frozen smart card" example [GHS16]). For instance, one may reasonably ask: what happens to the security of a classical cryptosystem when the device leaks only a single quantum query to the adversary?
When deciding which functions the adversary might have (quantum) access to, it is worth recalling the classical setting. For classical symmetric-key encryption, a standard approach considers the security of cryptosystems when exposed to so-called chosen-plaintext attacks (CPA). This notion encompasses all attacks in which an adversary attempts to defeat security (by, e.g., distinguishing ciphertexts or extracting key information) using oracle access to the function which encrypts plaintexts with the secret key. This approach has been highly successful in developing cryptosystems secure against a wide range of realistic real-world attacks. An analogous class, the so-called chosen-ciphertext attacks (CCA), are attacks in which the adversary can make use of oracle access to decryption. For example, a well-known attack due to Bleichenbacher [Ble98] only requires access to an oracle that decides if the input ciphertext is encrypted according to a particular RSA standard. We will consider analogues of both CPA and CCA attacks, in which the relevant functions are quantumly accessible to the adversary.

Our Contributions
The model. In this work, we consider a quantum-secure model of encryption called QCCA1. This model grants non-adaptive access to the decryption oracle, and is thus intermediate between QCPA and QCCA2. Studying weaker and intermediate models is a standard and useful practice in theoretical cryptography. In fact, CPA and CCA2 are intermediate models themselves, since they are both strictly weaker than authenticated encryption. Our particular intermediate model is naturally motivated: it is sufficent for a new and interesting quantum attack on LWE encryption.
As is typical, the challenge in QCCA1 can be semantic, or take the form of an indistinguishability test. This leads to natural security notions for symmetric-key encryption, which we call IND-QCCA1 and SEM-QCCA1, respectively. Following previous works, it is straightforward to define both IND-QCCA1 and SEM-QCCA1 formally, and prove that they are equivalent [BJ15; GHS16;BZ13b].
We then prove IND-QCCA1 security for two symmetric-key encryption schemes, based on standard assumptions. Specifically, we show that the standard encryption schemes based on quantumsecure pseudorandom functions (QPRF) and quantum-secure pseudorandom permutations (QPRP) are both IND-QCCA1. We remark that both QPRFs and QPRPs can be constructed from quantumsecure one-way functions [Zha12;Zha16]. Our security proofs use a novel technique, in which we control the amount of information that the adversary can extract from the oracles and store in their internal quantum state (prior to the challenge) by means of a certain bound on quantum random-access codes.
A quantum-query attack on LWE. We then revisit the aforementioned question: what happens to a post-quantum cryptosystem if it leaks a single quantum query? Our main result is that standard IND-CPA-secure LWE-based encryption schemes can be completely broken using only a single quantum decryption query and no other queries or leakage of any kind. In our attack, the adversary recovers the complete secret key with constant success probability. In standard bit-by-bit LWE encryption, a single classical decryption query can yield at most one bit of the secret key; the classical analogue of our attack thus requires n log q queries. The attack is essentially an application of a modulo-q variant of the Bernstein-Vazirani algorithm [BV97]. Our new analysis shows that this algorithm correctly recovers the key with constant success probability, despite the decryption function only returning an inner product which is rounded to one of two values. We show that the attack applies to four variants of standard IND-CPA-secure LWE-based encryption: the symmetrickey and public-key systems originally described by Regev [Reg05], the FrodoPKE scheme 5 [LP11; ABD+17], and standard Ring-LWE [LPR13a; LPR13b]. Important caveats. Our results challenge the idea that LWE is unconditionally "just as secure" quantumly as it is classically. Nonetheless, the reader is cautioned to interpret our work carefully. Our results do not indicate a weakness in LWE (or any LWE-based cryptosystem) in the standard post-quantum security model. Since it is widely believed that quantum-algorithmic attacks will need to be launched over purely classical channels, post-quantum security does not allow for quantum queries to encryption or decryption oracles. Moreover, while our attack does offer a dramatic quantum speedup (i.e., one query vs. linear queries), the classical attack is already efficient. The schemes we attack are already insecure in the classical chosen-ciphertext setting, but can be modified to achieve chosen-ciphertext security [FO99].
Related work. We remark that Grilo, Kerenidis and Zijlstra recently observed that a version of LWE with so-called "quantum samples" can be solved efficiently (as a learning problem) using Bernstein-Vazirani [GKZ17]. Our result, by contrast, demonstrates an actual cryptographic attack on standard cryptosystems based on LWE, in a plausible security setting. Moreover, in terms of solving the learning problem, our analysis shows that constant success probability is achievable with only a single query, whereas [GKZ17] require a number of queries which is at least linear in the modulus q. In particular, our cryptographic attack succeeds with a single query even for superpolynomial modulus.

Technical summary of results
Security model and basic definitions. First, we set down the basic QCCA1 security model, adapting the ideas of [BZ13a;GHS16]. Recall that an encryption scheme is a triple Π = (KeyGen, Enc, Dec) of algorithms (key generation, encryption, and decryption, respectively) satisfying Dec k (Enc k (m)) = m for any key k ← KeyGen and message m. In what follows, all oracles are quantum, meaning that a function f is accessed via the unitary operator |x |y → |x |y ⊕ f (x) . We define ciphertext indistinguishability and semantic security as follows.
Definition 1 (informal). Π is IND-QCCA1 if no quantum polynomial-time algorithm (QPT) A can succeed at the following experiment with probability better than 1/2 + negl(n).

1.
A key k ← KeyGen(1 n ) and a uniformly random bit b $ ← − {0, 1} are generated; A gets access to oracles Enc k and Dec k , and outputs (m 0 , m 1 ); 2. A receives Enc k (m b ) and gets access to an oracle for Enc k only, and outputs a bit b ′ ; Definition 2 (informal). Consider the following game with a QPT A.

1.
A key k ← KeyGen(1 n ) is generated; A gets access to oracles Enc k , Dec k and outputs circuits (Samp, h, f ); 2. Sample m ← Samp; A receives h(m), Enc k (m), and access to an oracle for Enc k only, and outputs a string s; A wins if s = f (m).
Then Π is SEM-QCCA1 if for every QPT A there exists a QPT S with the same winning probability but which does not get Enc k (m) in step 2.
Theorem 1. A classical symmetric-key encryption scheme is IND-QCCA1 if and only if it is SEM-QCCA1.
Secure constructions. Next, we show that standard pseudorandom-function-based encryption is QCCA1-secure, provided that the underlying PRF is quantum-secure (i.e., is a QPRF.) A QPRF can be constructed from any quantum-secure one-way function, or directly from the LWE assumption [Zha12]. Given a PRF f = {f k } k , define PRFscheme[f ] to be the scheme which encrypts a plaintext m using randomness r via Enc k (m; r) = (r, f k (r) ⊕ m) and decrypts in the obvious way.
We also analyze a standard permutation-based scheme. Quantum-secure PRPs (i.e., QPRPs) can be obtained from quantum-secure one-way functions [Zha16]. Given a PRP P = {P k } k , define PRPscheme[P ] to be the scheme that encrypts a plaintext m using randomness r via Enc k (m; r) = P k (m||r), where || denotes concatenation; to decrypt, one applies P −1 k and discards the randomness bits.
We briefly describe our proof techniques for Theorems 2 and 3. In the indistinguishability game, the adversary can use the decryption oracle prior to the challenge to (quantumly) encode information about the relevant pseudorandom function instance (i.e., f k or P k ) in their private, poly-sized quantum memory. From this point of view, establishing security means showing that this encoded information cannot help the adversary compute the value of the relevant function at the particular randomness used in the challenge. To prove this, we use a bound on quantum random access codes (QRAC). Informally, a QRAC is a mapping from N -bit strings x to d-dimensional quantum states ̺ x , such that given ̺ x , and any index j ∈ [N ], the bit x j can be recovered with some probability p x,j = 1 2 + ǫ x,j . The average bias of such a code is the expected value of ǫ x,j , over uniform x and j. A QRAC with shared randomness further allows the encoding and decoding procedures to both depend on some random variable.
Lemma 1. The average bias of a quantum random access code with shared randomness that encodes N bits into a d-dimensional quantum state is O( N −1 log d). In particular, if N = 2 n and d = 2 poly(n) the bias is O(2 −n/2 poly(n)).
Key recovery against LWE. Our attack on LWE encryption will make use of a new analysis of the performance of a large-modulus variant of the Bernstein-Vazirani algorithm [BV97], in the presence of a certain type of "rounding" noise.
Quantum algorithm for linear rounding functions. In the simplest case we analyze, the oracle outputs 0 if the inner product is small, and 1 otherwise. Specifically, given integers n ≥ 1 and q ≥ 2, define a keyed family of (binary) linear rounding functions, LRF k,q : Z n q −→ {0, 1}, with key k ∈ Z n q , as follows: Here ·, · denotes the inner product modulo q. Our main technical contribution is the following.
Theorem 4 (informal). There exists a quantum algorithm which runs in time O(n), makes one quantum query to LRF k,q (with q ≥ 2 and unknown k ∈ Z n q ), and outputs k with probability 4/π 2 − O(1/q).
We also show that the same algorithm succeeds against more generalized function classes, in which the oracle indicates which "segment" of Z q the exact inner product belongs to.
One quantum query against LWE. Finally, we revisit our central question of interest: what happens to a post-quantum cryptosystem if it leaks a single quantum query? We show that, in standard LWE-based schemes, the decryption function can (with some simple modifications) be viewed as a special case of a linear rounding function, as above. In standard symmetric-key or public-key LWE, for instance, we decrypt a ciphertext (a, c) ∈ Z n+1 q with key k by outputting 0 if |c − a, k | ≤ q 4 and 1 otherwise. In standard Ring-LWE, we decrypt a ciphertext (u, v) with key k (here u, v, k are polynomials in Z q [x]/ x n + 1 ) by outputting 0 if the constant coefficient of v − k · u is small, and 1 otherwise.
Each of these schemes is secure against adversaries with classical encryption oracle access, under the LWE assumption. If adversaries also gain classical decryption access, then it's not hard to see that a linear number of queries is necessary and sufficient to recover the private key. Our main result is that, by contrast, only a single quantum decryption query is required to achieve this total break. Indeed, in all three constructions described above, one can use the decryption oracle to build an associated oracle for a linear rounding function which hides the secret key. The following can then be shown using Theorem 4.
Theorem 5 (informal). Let Π be standard LWE or standard Ring-LWE encryption (either symmetrickey, or public-key.) Let n be the security parameter. Then there is an efficient quantum algorithm that runs in time O(n), uses one quantum query to the decryption function Dec k of Π,and outputs the secret key with constant probability.

Organization
The remainder of this paper is organized as follows. In Section 2, we outline preliminary ideas that we will make use of, including cryptographic concepts, and notions from quantum algorithms. In Section 3, we define the QCCA1 model, including the two equivalent versions IND-QCCA1 and SEM-QCCA1. In Section 4, we define the PRF and PRP scheme, and show that they are IND-QCCA1secure. In Section 5, we show how a generalization of the Bernstein-Vazirani algorithm works with probability bounded from below by a constant, even when the oracle outputs rounded values. In Section 6, we use the results of Section 5 to prove that a single quantum decryption query is enough to recover the secret key in various versions of LWE-encryption; we also observe a similar result for a model in which the adversary can make one quantum encryption query with partial access to the randomness register.

Basic notation and conventions
Selecting an element x uniformly at random from a finite set X will be written as x $ ← − X. If we are generating a vector or matrix with entries in Z q by sampling each entry independently according to a distribution χ on Z q , we will write, e.g., v χ ← − Z n q . Given a matrix A, A T will denote the transpose of A. We will view elements v of Z n q as column vectors; the notation v T then denotes the corresponding row vector. The notation negl(n) denotes some function of n which is smaller than every inverse-polynomial. We denote the concatenation of strings x and y by x||y. We abbreviate classical probabilistic polynomial-time algorithms as PPT algorithms. By quantum algorithm (or QPT) we mean a polynomial-time uniform family of quantum circuits, where each circuit in the family is described by a sequence of unitary gates and measurements. In general, such an algorithm may receive (mixed) quantum states as inputs and produce (mixed) quantum states as outputs. Sometimes we will restrict QPTs implicitly; for example, if we write Pr[A(1 n ) = 1] for a QPT A, it is implicit that we are only considering those QPTs that output a single classical bit.
Every function f : {0, 1} m → {0, 1} ℓ determines a unitary operator U f : |x |y → |x |y ⊕ f (x) on m + ℓ qubits where x ∈ {0, 1} m and y ∈ {0, 1} ℓ . In this work, when we say that a quantum algorithm A gets (adaptive) oracle access to f (written A f ), we mean that A can apply the oracle unitary U f .
Recall that a symmetric-key encryption scheme is a triple of classical probabilistic algorithms (KeyGen, Enc, Dec) whose run-times are polynomial in some security parameter n. Such a scheme must satisfy the following property: when a key k is sampled by running KeyGen(1 n ), then it holds that Dec k (Enc k (m)) = m for all m except with negligible probability in n. In this work, all encryption schemes will be fixed-length, i.e., the length of the message m will be a fixed (at most polynomial) function of n.
Since the security notions we study are unachievable in the information-theoretic setting, all adversaries will be modeled by QPTs. When security experiments require multiple rounds of interaction with the adversary, it is implicit that A is split into multiple QPTs (one for each round), and that these algorithms forward their internal (quantum) state to the next algorithm in the sequence.

Quantum-secure pseudorandomness
Here F ℓ m denotes the set of all functions from {0, 1} m to {0, 1} ℓ . The standard method for constructing a pseudorandom function from a one-way function produces a QPRF, provided that the one-way function is quantum-secure [GL89; GGM86;Zha12].
A quantum-secure pseudorandom permutation is a a bijective function family of quantum-secure pseudorandom functions. More specifically, consider a function P : where n and m are integers, such that each function P k (x) = P (k, x) in the corresponding family {P k } k∈{0,1} n is bijective. We say P is a quantum-secure pseudorandom permutation (or QPRP) if, for every QPT A with access to both the function and its inverse, where P m denotes the set of permutations over m-bit strings. One can construct QPRPs from quantum-secure one-way functions [Zha16].

Quantum random access codes
A quantum random access code (QRAC) is a two-party scheme for the following scenario involving two parties Alice and Bob [Nay99]: 1. Alice gets x ∈ {0, 1} N and encodes it as a d-dimensional quantum state ̺ x . 2. Bob receives ̺ x from Alice, and some index i ∈ {1, . . . , N }, and is asked to recover the i-th bit of x, by performing some measurement on ̺ x . 3. They win if Bob's output agrees with x i and lose otherwise.
We can view a QRAC scheme as a pair of (not necessarily efficient) quantum algorithms: one for encoding, and another for decoding. We remark that the definition of a QRAC does not require a bound on the number of qubits; the interesting question is with what parameters a QRAC can actually exist.
A variation of the above scenario allows Alice and Bob to use shared randomness in their encoding and decoding operations [ALM+08]. Hence, Alice and Bob can pursue probabilistic strategies with access to the same random variable.

Quantum Fourier transform
For any positive integer q, the quantum Fourier transform over Z q is defined by the operation where ω q = e 2πi q . Due to early work by Kitaev [Kit95], this variant of the Fourier transform can be implemented using quantum phase estimation in complexity polynomial in log q. An improved approximate implementation of this operation is due to Hales and Hallgren [HH00].
3 The QCCA1 security model

Quantum oracles
In our setting, adversaries will (at various times) have quantum oracle access to the classical functions Enc k and Dec k . The case of the deterministic decryption function Dec k is simple: the adversary gets access to the unitary operator U Dec k : |c |m → |c |m ⊕ Dec k (c) . For encryption, to satisfy IND-CPA security, Enc k must be probabilistic and thus does not correspond to any single unitary operator. Instead, each encryption oracle call of the adversary will be answered by applying a unitary sampled uniformly from the family {U Enc k ,r } r where U Enc k ,r : |m |c → |m |c ⊕ Enc k (m; r) and r varies over all the possible values of the randomness register of Enc k . Note that, since Enc k and Dec k are required to be probabilistic polynomial-time algorithms provided by the underlying classical symmetric-key encryption scheme, both U Enc k ,r and U Dec k correspond to efficient and reversible quantum operations. For the sake of brevity, we adopt the convenient notation Enc k and Dec k to refer to the above quantum oracles for encryption and decryption respectively.

Ciphertext indistinguishability
We now define indistinguishability of encryptions (for classical, symmetric-key schemes) against non-adaptive quantum chosen-ciphertext attacks.

Setup:
A key k ← KeyGen(1 n ) and a bit b $ ← − {0, 1} are generated; 2. Pre-challenge: A gets access to oracles Enc k and Dec k , and outputs (m 0 , m 1 ); 3. Challenge: A gets Enc k (m b ) and access to Enc k only, and outputs a bit b ′ ; 4. Resolution: Then Π has indistinguishable encryptions under non-adaptive quantum chosen ciphertext attack By inspection, one immediately sees that our definition lies between the established notions of IND-QCPA and IND-QCCA2 [BJ15; GHS16; BZ13b]. It will later be convenient to work with a variant of the game IndGame, which we now define.
Definition 4 (IndGame ′ ). We define the experiment IndGame ′ (Π, A, n) just as IndGame(Π, A, n), except that in the pre-challenge phase A only outputs a single message m, and in the challenge phase A receives Enc k (m) if b = 0, and Enc k (x) for a uniformly random message x if b = 1.
Working with IndGame ′ rather than IndGame does not change security. Specifically (as we show in Appendix A), Π is IND-QCCA1 if and only if, for every QPT A, Pr[A wins IndGame ′ (Π, A, n)] ≤ 1/2 + negl(n) .

Semantic security
In semantic security, rather than choosing a pair of challenge plaintexts, the adversary chooses a challenge template: a triple of circuits (Samp, h, f ), where Samp outputs plaintexts from some distribution D Samp , and h and f are functions with domain the support of D Samp . The intuition is that Samp is a distribution of plaintexts m for which the adversary, if given information h(m) about m together with an encryption of m, can produce some new information f (m).
1. Setup: A key k ← KeyGen(1 n ) is generated; 2. Pre-challenge: A gets access to oracles Enc k and Dec k , and outputs a challenge template (Samp, h, f ); 3. Challenge: A plaintext m $ ← − Samp is generated; A receives h(m) and gets access to an oracle for Enc k only; if b = real, A also receives Enc k (m); A outputs a string s; Π has semantic security under non-adaptive quantum chosen ciphertext attack (or is SEM-QCCA1) if, for every QPT A, there exists a QPT S such that the challenge templates output by A and S are identically distributed, and Our definition is a straightforward modification of SEM-QCPA [GHS16; BZ13b]; the modification is to give A and S oracle access to Dec k in the pre-challenge phase.
Theorem 6. Let Π = (KeyGen, Enc, Dec) be a symmetric-key encryption scheme. Then, Π is The classical proof of the above (see, e.g., [Gol09]) carries over directly to the quantum case. This was already observed for the case of QCPA by [GHS16], and extends straightforwardly to the case where both the adversary and the simulator gain oracle access to Dec k in the pre-challenge phase. 6 4 Secure Constructions

PRF scheme
Let us first recall the standard symmetric-key encryption based on pseudorandom functions. For simplicity, we chose a particularly simple set of parameters for the PRF, so that key length, input size, and output size are all equal to the security parameter. It is straightforward to check that the definition (and our results below) are valid for arbitrary polynomial-size parameter choices.
We show that the above scheme satisfies QCCA1, provided that the underlying PRF is secure against quantum queries.
Proof. Fix a QPT adversary A against Π := PRFscheme[f ] = (KeyGen, Enc, Dec) and let n denote the security parameter. It will be convenient to split A into the pre-challenge algorithm A 1 and the challenge algorithm A 2 .
We will work with the single-message variant of IndGame, IndGame ′ , described below as Game 0. In Appendix A, we show that Π is IND-QCCA1 if and only if no QPT adversary can win IndGame ′ with non-negligible bias. We first show that a version of IndGame ′ where we replace f with a random function, called Game 1 below, is indistinguishable from IndGame ′ , so that the winning probabilities cannot differ by a non-negligible amount. We then prove that no adversary can win Game 1 with non-negligible bias by showing how any adversary for Game 1 can be used to make a quantum random access code with the same bias.
Game 0: This is the game IndGame ′ (Π, A, n), which we briefly review for convenience (see also Figure 1). In the pre-challenge phase, A 1 gets access to oracles Enc k and Dec k , and outputs a message m * while keeping a private state |ψ for the challenge phase. In the challenge phase, a random bit b $ ← − {0, 1} is sampled, and A 2 is run on input |ψ and a challenge ciphertext Here where r * and x are sampled uniformly at random. In the challenge phase, A 2 only has access to Enc k and must output a bit b ′ . A wins if δ bb ′ = 1, so we call δ bb ′ the outcome of the game. Game 1: This is the same game as Game 0, except we replace f k with a uniformly random First, we show that for any adversary A, the outcome when A plays Game 0 is at most negligibly different from the outcome when A plays Game 1. We do this by constructing a quantum oracle distinguisher D that distinguishes between the QPRF {f k } k and a true random function, with distinguishing advantage which must then be negligible since f is a QPRF. The distinguisher D gets quantum oracle access to a function g, which is either f k , for a random k, or a random function, and proceeds by simulating A playing IndGame ′ as follows: 1. Run A 1 , answering encryption queries using classical calls to g in place of f k , and answering decryption queries using quantum oracle calls to g: |r |c |m → |r |c |m ⊕ c → |r |c |m ⊕ c ⊕ g(r) ; 2. Simulate the challenge phase by sampling b $ ← − {0, 1} and encrypting the challenge using g in place of f k ; run A 2 and simulate encryption queries as before; 3. When A 2 outputs b ′ , output δ bb ′ .
It remains to show that no QPT adversary can win Game 1 with non-negligible probability. To do this, we design a quantum random access code from any adversary, and use the lower bound on the bias given in Lemma 1.
Intuition. We first give some intuition. In an encryption query, the adversary, either A 1 or A 2 , queries a message, or a superposition of messages m |m , and gets back m |m |r, m ⊕ F (r) for a random r, from which he can easily get a sample (r, F (r)). Thus, in essence, an encryption query is just classically sampling a random point of F .
In a decryption query, which is only available to A 1 , the adversary sends a ciphertext, or a superposition of ciphertexts, r,c |r, c and gets back r,c |r, c |c ⊕ F (r) , from which he can learn r |r, F (r) . Thus, a decryption query allows A 1 to query F , in superposition. Later in the challenge phase, A 2 gets an encryption (r * , m ⊕ F (r * )) and must decide if m = m * . Since A 2 no longer has access to the decryption oracle, which allows him to query F , there seem to be two possible ways A 2 could learn F (r * ): 1. A 2 gets lucky in one of his at most poly(n) many queries to Enc k and happens to sample (r * , F (r * )); 2. Or, the adversary is somehow able to use what he learned while he had access to Dec k , and thus F , to learn F (r * ), meaning that the poly(n)-sized quantum memory A 1 sends to A 2 , that can depend on queries to F , but which cannot depend on r * , allows A 2 to learn F (r * ).
The first possibility is exponentially unlikely, since there are 2 n possibilities for r * . As we will see shortly, the second possibility would imply a very strong quantum random access code. It would essentially allow A 1 to interact with F , which contains 2 n values, and make a state, which must necessarily be of polynomial size, such that A 2 can use that state to recover F (r * ) for any of the 2 n possible values of r * , with high probability. We now formalize this intuition. To clarify notation, we will use boldface to denote the shared randomness bitstrings.
Bits to be encoded: Construction of a quantum random access code. Let A be a QPT adversary with winning probability p. Let ℓ = poly(n) be an upper bound on the number of queries made by A 2 . Recall that a random access code consists of an encoding procedure that takes (in this case) 2 n bits b 1 , . . . , b 2 n , and outputs a state ̺ of dimension (in this case) 2 poly(n) , such that a decoding procedure, given ̺ and an index j ∈ {1, . . . , 2 n } outputs b j with some success probability. We define a quantum random access code as follows (see also Figure 2).
Encoding. Let b 1 , . . . , b 2 n ∈ {0, 1} be the string to be encoded. Let s, y 1 , . . . , y 2 n ∈ {0, 1} n be given by the first n(1 + 2 n ) bits of the shared randomness, and let r 1 , . . . , r ℓ ∈ {0, 1} n be the next ℓn bits. Define a functionf : {0, 1} n → {0, 1} n as follows. For r ∈ {0, 1} n , we will slightly abuse notation by letting r denote the corresponding integer value between 1 and 2 n . Definẽ f (r) = y r ⊕ b r s. Run A 1 , answering encryption and decryption queries usingf in place of F . Let m * and |ψ be the outputs of A 1 (see Figure 1). Output ̺ = (|ψ , m * ,f (r 1 ), . . . ,f (r ℓ )). Decoding. Let j ∈ {1, . . . , 2 n } be the index of the bit to be decoded (so given ̺ as above, the goal is to recover b j ). Decoding will make use of the values s, y 1 , . . . , y 2 n , r 1 , . . . , r ℓ given by the shared randomness. Upon receiving a query j ∈ {1, . . . , 2 n }, run A 2 with inputs |ψ and (j, m * ⊕ y j ). On A 2 's i-th encryption oracle call, use randomness r i , so that if the input to the oracle is |m, c , the state returned is |m, c ⊕ (r i , m ⊕f (r i )) (note thatf (r i ) is given as part of ̺). Return the bit b ′ output by A 2 .
Average bias of the code. We claim that the average probability of decoding correctly, taken over all choices of b 1 , . . . , b 2 n ∈ {0, 1} and j ∈ {1, . . . , 2 n }, is exactly p, the success probability of A.
To see this, first note that from A's perspective, this is exactly Game 1: the functionf is a uniformly random function, and the queries are responded to just as in Game 1. Further, note that if b j = 0, then m * ⊕ y j = m * ⊕f (j), so the correct guess for A 2 would be 0, and if b j = 1, then m * ⊕ y j = m * ⊕f (j) ⊕ s = x ⊕f (j) for the uniformly random string x = m * ⊕ s, so the correct guess for A 2 would be 1. Therefore, the average bias of the code is p − 1/2. We also observe that ̺ has dimension at most 2 poly(n) , since |ψ must be a poly(n)-qubit state (A 1 only runs for poly(n) time), and ℓ, the number of queries made by A 2 must be poly(n), since A 2 only runs for poly(n) time. As this code encodes 2 n bits into a state of dimension 2 poly(n) , by Lemma 1 (proven in Appendix A), the bias is O(2 −n/2 poly(n)) = negl(n), so p ≤ 1 2 + negl(n). ⊓ ⊔
As before, we chose a simple set of parameters; in general, the randomness length, plaintext length, and security parameter can be related by arbitrary polynomials.
Proof. We follow a similar proof strategy as with the PRF scheme. Fix a QPT adversary A against Π := PRPscheme[P ] = (KeyGen, Enc, Dec) and let n denote the security parameter. We have that Π is IND-QCCA1 if and only if no QPT adversary can win IndGame ′ with non-negligible bias. First, we show that a version of IndGame ′ where we replace P with a random permutation, described below as Game 1, is indistinguishable from IndGame ′ , so that the winning probabilities cannot differ by a non-negligible amount. We then prove that no adversary can win Game 1 with non-negligible bias, by showing how any adversary for Game 1 can be used to make a quantum random access code with the same bias.
Game 0: In the pre-challenge phase, A 1 gets access to oracles Enc k and Dec k . In the challenge phase, A 1 outputs m and its private data |ψ ; a random bit b $ ← − {0, 1} is sampled, and A 2 is run on input |ψ and a challenge ciphertext where r * $ ← − {0, 1} n and x is sampled uniformly at random. In the challenge phase, A 2 has oracle access to Enc k only and outputs a bit b ′ . The outcome of the game is simply the bit δ bb ′ . Game 1: This is the same game as Game 0, except we now replace P k with a perfectly random permutation π : {0, 1} 2n → {0, 1} 2n .
We show that for any adversary A, the outcome when A plays Game 0 is at most negligibly different from the outcome when A plays Game 1. We construct a quantum oracle distinguisher D that distinguishes between P k and a perfectly random permutation, with distinguishing advantage which must then be negligible since P k is a QPRP. Here, the distinguisher D receives quantum oracle access to a function ϕ, which is either P k for a random k, or a random permutation π, and proceeds by simulating A playing IndGame ′ as follows: 1. Run A 1 , answering encryption queries using oracle calls to ϕ in place of P k , where for a given input and via randomness r, Enc : |m |c → |m |c ⊕ ϕ(m||r) .
Answer decryption queries using quantum oracle calls toφ −1 , a function that first computes ϕ −1 but then (analogous to the PRP construction) discards the last n bits of the pre-image corresponding to the randomness, i.e.
2. Simulate the challenge phase by sampling b $ ← − {0, 1} and encrypting using a randomness r * together with a classical call to ϕ in place of P k ; run A 2 and simulate encryption queries as before. 3. When A 2 outputs b ′ , output δ bb ′ .
It remains to show that no QPT adversary can win Game 1 with non-negligible probability. To do this, we will again design a random access code from any adversary's strategy with success probability p, and use the lower bound on the bias given in Lemma 1. We will then construct a QRAC with bias negl(n) from this adversary, and hence conclude that p ≤ 1 2 + negl(n).
Construction of a quantum random access code. Let A be a QPT adversary with winning probability p and let ℓ = poly(n) be an upper bound on the number of queries made by A 2 . When constructing a QRAC for the PRP scheme, we shall also assume for simplicity that both the encoder and decoder share a random permutation (as part of the shared randomness). According to the well known coupon collector's problem, it is sufficient for the encoder and decoder to share around N ln(N ) random strings on average, where N denotes the number of distinct random strings required to make up the desired permutation. We define a quantum random access code as follows (see also Figure 3).  Encoding. Let b 1 , . . . , b 2 n ∈ {0, 1} be the string to be encoded and let the shared randomness be given by a random string s together with a random permutation y = y 1 , . . . , y 2 2n ∈ {0, 1} 2n and a set of random strings r 1 , . . . , r ℓ ∈ {0, 1} n . Using b 1 , . . . , b 2 n , we define a new random permutation by lettingP (x||r) := y x⊕brs||r (P remains a permutation 7 ). Run A 1 by answering encryption and decryption queries usingP in place of π (for decryption, useP −1 and discard the last n bits). Let m * and |ψ be the outputs of A 1 . Then, output ̺ = (|ψ , m * , b r 1 , . . . , b r l ). Decoding. Let j ∈ {1, . . . , 2 n } be the index of the bit to be decoded; so given ̺ as above, we will recover b j by making use of the shared randomness defined above. Upon receiving a query j ∈ {1, . . . , 2 n }, run A 2 with inputs |ψ and c * = y m * ||j . Return the bit b ′ output by A 2 .
Average bias of the code. We claim that the average probability of decoding correctly, taken over all choices of b 1 , . . . , b 2 n ∈ {0, 1} and j ∈ {1, . . . , 2 n }, is exactly p, the success probability of A. To see this, first note that from A's perspective, this is exactly Game 1: the functionP is a uniformly random permutation, and the queries are responded to just as in Game 1. Further, note that if b j = 0, the challenge amounts toP (m * ||j) = y m * ||j , so the correct guess for A 2 would be 0, and if b j = 1, then y x||j is an encryption of a uniformly random string x = m * ⊕ s, so the correct guess for A 2 would be 1. Therefore, the average bias of the code is p − 1/2. We now proceed with a similar analysis as with the PRF scheme. Note that ̺ has dimension at most 2 poly(n) , since |ψ must be a poly(n)-qubit state (A 1 only runs for poly(n) time), and ℓ, the number of queries made by A 2 must be poly(n), since A 2 only runs for poly(n) time. As this code encodes 2 n bits into a state of dimension 2 poly(n) , by Lemma 1, the bias is O(2 −n/2 poly(n)) = negl(n), so p ≤ 1 2 + negl(n). ⊓ ⊔ 5 Quantum algorithm for linear rounding functions a a + 1 In this section, we analyze the performance of the Bernstein-Vazirani algorithm [BV97] with a modified version of the oracle. While the original oracle computes the inner product modulo q, our version only gives partial information about it by rounding its value to one of ⌈q/b⌉ blocks of size b, for some b ∈ {1, . . . , q − 1} (if b does not divide q, one of the blocks will have size < b).
Definition 6. Let n ≥ 1 be an integer and q ≥ 2 be an integer modulus. Let a ∈ Z q , b ∈ Z q \ {0} and c := ⌈q/b⌉. We partition Z q into c disjoint blocks (most of them of size b) starting from a as follows (see Figure 4): Based on this partition, we define a family LRF k,a,b : Z n q −→ Z c of keyed linear rounding functions, with key k ∈ Z n q , as follows: Algorithm 1: Bernstein-Vazirani for linear rounding functions Parameters: n, q, b ∈ {1, . . . , q − 1}, c = ⌈q/b⌉. Input : Quantum oracle U LRF : |x |z → |x |z + LRF k,a,b (x) (mod c) where x ∈ Z n q , z ∈ Z c and LRF k,a,b is the rounded inner product function for some unknown k ∈ Z n q and a ∈ Z q . Output : Stringk ∈ Z n q such thatk = k with high probability.

Prepare the uniform superposition and append
2. Query the oracle U LRF for LRF k,a,b to obtain 3. Discard the last register and apply the quantum Fourier transform QFT ⊗n Zq . 4. Measure in the computational basis and output the outcomek.
The following theorem shows that the modulo-q variant of the Bernstein-Vazirani algorithm (Algorithm 1) can recover k with constant probability of success by using only a single quantum query to LRF k,a,b .
Theorem 9. Let U LRF be the quantum oracle for the linear rounding function LRF k,a,b with modulus q ≥ 2, block size b ∈ {1, . . . , q − 1}, and an unknown a ∈ {0, . . . , q − 1}, and unknown key k ∈ Z n q such that k has at least one entry that is a unit modulo q. Let c = ⌈q/b⌉ and d = cb − q. By making one query to the oracle U LRF , Algorithm 1 recovers the key k with probability at least 4/π 2 − O(d/q).
Proof. For an integer m, let ω m = e 2πi/m . Several times in this proof, we will make use of the identity ℓ−1 z=0 ω rz m = ω r(ℓ−1)/2 m sin(ℓrπ/m) sin(rπ/m) . Let c = ⌈q/b⌉. Throughout this proof, let LRF(x) = LRF k,a,b (x). By querying with 1 √ c c−1 z=0 ω z c |z in the second register, we are using the standard phase kickback technique, which puts the output of the oracle directly into the phase: Thus, after querying the uniform superposition over the cipherspace with 1 √ c c−1 z=0 ω z c |z in the second register, we arrive at the state Note that ω c = ω q/c q . If we discard the last register and apply QFT ⊗n Zq , we get |ψ = 1 q n y∈Z n q x∈Z n q ω −(q/c)LRF(x)+ x,y q |y .
We then perform a complete measurement in the computational basis. The probability of obtaining the key k is given by (3) We are assuming that k has at least one entry that is a unit modulo q. For simplicity, suppose that entry is k n . Let k 1:n−1 denote the first n − 1 entries of k. Then, for any v ∈ {0, . . . , c − 2}: (4) (Recall the definition of I v (a, b) from Definition 6). Since k n is a unit, for each z ∈ I v (a− y, k 1:n−1 ), there is a unique x n ∈ Z q such that x n k n = z. Thus, for a fixed y ∈ Z n−1 q , letting a ′ = a− y, k 1:n−1 , we have: which we can plug into (4) to get: We can perform a similar analysis for the remaining case when This is slightly different from the v < c − 1 case, shown in (5), but very similar. If we substitute v = c − 1 in (5) and compare it to (6), we get z=0 ω z q = q n−1 sin(πd/q) sin(π/q) ≤ q n−1 πd/q 2/q = q n−1 π 2 d.

Key recovery against LWE
In this section, we consider various LWE-based encryption schemes and show using Theorem 9 that the decryption key can be efficiently recovered using a single quantum decryption query (Section 6.1, Section 6.2, and Section 6.3). Then, in Section 6.4, we show that a single quantum encryption query can be used to recover the secret key in a symmetric-key version of LWE, as long as the querying algorithm also has control over part of the randomness used in the encryption procedure.

Key recovery via one decryption query in symmetric-key LWE
Recall the following standard construction of an IND-CPA symmetric-key encryption scheme based on the LWE assumption [Reg05].
As a corollary of Theorem 9, an adversary that is granted a single quantum decryption query can recover the key with probability at least 4/π 2 − o(1): Corollary 1. There is a quantum algorithm that makes one quantum query to LWE-SKE.Dec k and recovers the entire key k with probability at least 4/π 2 − o(1).

⊓ ⊔
Note that the key in this scheme consists of n log q uniformly random bits, and that a classical decryption query yields at most a single bit of output. It follows that any algorithm making t classical queries to the decryption oracle recovers the entire key with probability at most 2 t−n log q . A straightforward key-recovery algorithm does in fact achieve this.

Key recovery via one decryption query in public-key LWE
The key-recovery attack described in Corollary 3 required nothing more than the fact that the decryption procedure of LWE-SKE is just a linear rounding function whose key contains the decryption key. As a result, the attack is naturally applicable to other variants of LWE. In this section, we consider two public-key variants. The first is the standard construction of IND-CPA publickey encryption based on the LWE assumption, as introduced by Regev [Reg05]. The second is the IND-CPA-secure public-key encryption scheme FrodoPKE [ABD+17], which is based on a construction of Lindner and Peikert [LP11]. In both cases, we demonstrate a dramatic speedup in key recovery using quantum decryption queries.
We emphasize once again that key recovery against these schemes was already possible classically using a linear number of decryption queries. Our results should thus not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., IND-CPA). The proper interpretation is that, if these cryptosystems are exposed to chosen-ciphertext attacks, then quantum attacks can be even more devastating than classical ones.
Regev's public-key scheme. The standard construction of an IND-CPA public-key encryption scheme based on LWE is the following.
Construction 4 (LWE-PKE [Reg05]) Let m ≥ n ≥ 1 be integers, let q ≥ 2 be an integer modulus, and let χ be a discrete error distribution over Z q . Then, the public-key encryption scheme LWE-PKE(n, q, χ) = (KeyGen, Enc, Dec) is defined as follows: 1. KeyGen: output a secret key sk = k $ ← − Z n q and a public key pk = (A, Ak + e) ∈ Z where v T denotes the transpose of v. 3. Dec: to decrypt (a, c), output 0 if |c − a, sk | ≤ q 4 , else output 1. Although the encryption is now done in a public-key manner, all that matters for our purposes is the decryption procedure, which is identical to the symmetric-key case, LWE-SKE. We thus have the following corollary, whose proof is identical to that of Corollary 3: Corollary 2. There is a quantum algorithm that makes one quantum query to LWE-PKE.Dec sk and recovers the entire key sk with probability at least 4/π 2 − o(1).
Frodo public-key scheme. Next, we consider the IND-CPA-secure public-key encryption scheme FrodoPKE, which is based on a construction by Lindner and Peikert [LP11]. Compared to LWE-PKE, this scheme significantly reduces the key-size and achieves better security estimates than the initial proposal by Regev [Reg05]. For a detailed discussion of FrodoPKE, we refer to [ABD+17]. We present the entire scheme for completeness, but the important part for our purposes is the decryption procedure.
Construction 5 (FrodoPKE [ABD+17]) Let n,m,n be integer parameters, let q ≥ 2 be an integer power of 2, let B denote the number of bits used for encoding, and let χ be a discrete symmetric error distribution. The public-key encryption scheme FrodoPKE = (KeyGen, Enc, Dec) is defined as follows: 1. KeyGen: generate a matrix A $ ← − Z n×n q and matrices S, E χ ← − Z n×n q ; compute B = AS + E ∈ Z n×n q ; output the key-pair (pk, sk) with public key pk = (A, B) and secret key sk = S. 2. Enc: to encrypt m ∈ {0, 1} B·m·n (encoded as a matrix M ∈ Zm ×n q with each entry having 0s in all but the B most significant bits) with public key pk, sample error matrices We now show how to recoverm of then columns of the secret key S using a single quantum query to FrodoPKE.Dec S . Ifm =n, as in sample parameters given in [ABD+17], then this algorithm recovers S completely.
Theorem 10. There exists a quantum algorithm that makes one quantum query to FrodoPKE.Dec S and recovers any choice ofm of then columns of S. For each of the chosen columns, if that column has at least one odd entry, then the algorithm succeeds in recovering the column with probability at least 4/π 2 .
Proof. Let s 1 , . . . , sn be the columns of S. Let U denote the map: U : |c |z 1 . . . |zn → |c |z 1 + LRF s 1 ,0,q/2 B (c) . . . |zn + LRF sn,0,q/2 B (c) , for any c ∈ Z n q and z 1 , . . . , zn ∈ Z 2 B . We first argue that one call to FrodoKEM.Dec S can be used to implement U ⊗m . Then we show that one call to U can be used to recover any choice of the columns of S with probability 4/π 2 , as long as it has at least one entry that is odd.
Let Trunc : Z q → Z 2 B denote the map that takes x ∈ Z q to the integer represented by the B most significant bits of the binary representation of x. We have, for any C 1 ∈ Zm ×n q , C 2 = 0m ×n , and any {z i,j } i∈ Above, [C 1 S] i,j represents the ij-th entry of C 1 S. If c 1 , . . . , cm denote the rows of C 1 , then [C 1 S] i,j = c i , s j . Thus, Trunc([C 1 S] i,j ) = LRF s j ,0,q/2 B (c i ), the linear rounding function with block size b = q/2 B , which is an integer since q is a power of 2, and a = 0. Note that we have also assumed that the plaintext is subtracted rather than added to the last register; this is purely for convenience of analysis, and can easily be accounted for by adjusting Algorithm 1 (e.g., by using inverse-QFT instead of QFT.) Discarding the second register (containing C 2 = 0), the right-hand side of (11) becomes |c 1 . . . |cm i∈[m],j∈ [n] |z i,j + LRF s j ,0,q/2 B (c i ) .
Reordering the registers of (12), we get: Thus, we can implement U ⊗m using a single call to FrodoKEM.Dec S . Next we show that for any particular j ∈ [n], a single call to U can be used to recover s j , the j-th column of S, with probability at least 4/π 2 , as long as at least one entry of s j is odd. To do this, we show how one use of U can be used to implement one phase query to LRF s j ,0,q/2 B . Then the result follows from the proof of Theorem 9.
Let |ϕ = 2 −B/2 2 B −1 z=0 |z , and define Then for any c ∈ Z n q , we have: since addition here is modulo 2 B , and Thus: Thus, by the proof of Theorem 9, if we apply U to q −n/2 c∈Z n q |c |φ j , Fourier transform the first register, and then measure, assuming s j has at least one entry that is a unit 8 we will measure s j with probability at least π 2 /4 − O(d/q), where d = q/2 B ⌈q/(q/2 B )⌉ − q = 0.
Thus, if we want to recover columns j 1 , . . . jm of S, we apply our procedure for U ⊗m , which costs one query to FrodoKEM.Dec S , to the state c∈Z n q 1 √ q n |c |φ j 1 ⊗ · · · ⊗ c∈Z n q 1 √ q n |c |φ jm , Fourier transform each of the c registers, and then measure. ⊓ ⊔

Key recovery via one decryption query in public-key Ring-LWE
Next, we analyze key-recovery with a single quantum decryption query against Ring-LWE encryption. Unlike the plain LWE-based encryption schemes we considered in the previous sections, Ring-LWE encryption uses noisy samples over a polynomial ring. In the following, we consider the basic, bit-by-bit Ring-LWE public-key encryption scheme introduced in [LPR13a ;LPR13b]. It is based on the rings R = Z[x]/ x n + 1 and R q := R/qR = Z q [x]/ x n + 1 for some power-of-two integer n and poly(n)-bounded prime modulus q. The details of the error distribution χ below will not be relevant to our results.
We note that our choice of placing single-bit encryption in the constant term of the polynomial is somewhat arbitrary. Indeed, it is straightforward to extend our results to encryption with respect to other monomials. We show the following corollary to Theorem 9.
Corollary 3. There is a quantum algorithm that makes one quantum query to Ring-LWE-PKE.Dec s and recovers the entire key s with probability at least 4/π 2 − o(1).
Proof. We first analyze the decryption function. Let (p) 0 denote the constant term of a polynomial p ∈ R q . Then, for any two polynomials u = n−1 j=0 u j x j and s = n−1 j=0 s j x j ∈ R q , we can identify the constant term of u · s as (u · s) 0 = u 0 s 0 + n−1 j=1 u j s n−j x j x n−j ≡ u 0 s 0 − u 1 s n−1 − u 2 s n−2 − . . . − u n−1 s 1 (mod q), since x n ≡ −1 in R q . We show that the outcome of Ring-LWE-PKE.Dec s (u, v) coincides with a binary linear rounding function over Z n q . Let u, s ∈ Z n q denote the coefficient vectors of u, s ∈ R q respectively, and define a constant polynomial v ≡ v 0 ∈ R q and vector u ′ := (u, v 0 ) ∈ Z n+1 q , for some v 0 ∈ Z q . Consequently, Ring-LWE-PKE.Dec s (u, v 0 ) rounds the inner product u ′ , s ′ , where s ′ = (−s 0 (mod q), s n−1 , . . . , s 1 , 1). Thus, we can run the Bernstein-Vazirani algorithm for binary linear rounding functions on a uniform superposition over Z n q and recover s from s ′ with simple classical post-processing. Note also that any choice of isomorphism between R q and Z n q necessarily preserves the inner product in Eq.(13), and thus any measurement outcome can be mapped back to the standard basis prior to post-processing -independently of the actual ring representation used in practice. By Theorem 9, Algorithm 1 makes one quantum query to LRF s ′ ,q , which can be implemented using one quantum query to Ring-LWE-PKE.Dec s , and recovers s ′ , and thus s, with probability 4/π 2 − o(1). ⊓ ⊔

Key recovery via a randomness-access query
While a linear number of classical decryption queries can be used to break LWE-based schemes, we have shown that only a single quantum decryption query is required. A natural question to ask is whether a similar statement can be made for encryption queries. Classically, it is known that the symmetric key version of LWE described in Construction 3, LWE-SKE, can be broken using a linear number of classical encryption queries when the adversary is also allowed to choose the randomness used by the query: the adversary simply uses e = 0 each time, with a taking n linearly independent values. In case the adversary is allowed to make quantum encryption queries with randomness access, a single quantum query suffice to recover the entire key with non-negligible probability, even when the adversary only has control over a part of the randomness used by the encryption: the randomness used to prepare vectors a, but not the randomness used to select the error e. Specifically, the adversary is given quantum oracle access to the randomness-access encryption oracle U RA Enc k such that, on input (b; a), the adversary receives where e ← χ. We extend this to a quantum randomness-access oracle by answering each element of the superposition using i.i.d. errors e a ← χ: U RA Enc k : |m |a |c → |m |a |c ⊕ Enc RA k (m; a) .
This model is identical to the noisy learning model considered by Grilo et al. [GKZ17] and thus matches the original proposal by Bshouty and Jackson [BJ98]. First, it is not hard to see that algorithms making classical queries to the above oracle can extract at most log q bits of key from each query (specifically, from the last component of the ciphertext), and thus still require a linear number of queries to recover the complete key with non-negligible probability.
On the other hand, by a slight generalization of the proof of Theorem IV.1 from Ref. [GKZ17], we can recover the entire key with inverse polynomial success probability using a single query to U RA Enc k as long as the noise magniture η is polynomial in n, since ϕ(q) = Ω(q/ log log q), for Euler's totient function ϕ.
Theorem 11. Consider LWE-SKE(n, q, χ) with an arbitrary integer modulus 2 ≤ q ≤ exp(n) and a symmetric error distribution χ of noise magnitude η. Then, there exists a quantum algorithm that makes one query to a randomness-accessible quantum encryption oracle for LWE-SKE(n, q, χ) and recovers the entire key with probability at least ϕ(q)/(24ηq) − o(1).
Finally, in a different model in which a single error e ← χ is used for every branch of the superposition of a single query (independent of a) we can recover k using a single query to the randomness access encryption oracle: simply query |0 1 √ q n a∈Z n q |a 1 √ q q−1 z=0 ω z q |z to get |0 1 √ q n a∈Z n q ω − a,k q |a 1 √ q q−1 z=0 ω z q |z + e , apply the quantum Fourier transform to the second register, and then measure the second register to get k with probability 1.

Proof.
A quantum random access code with shared randomness that encodes N bits into a ddimensional quantum state is specified by the following: • a shared random variable λ, • for each x ∈ {0, 1} N , a d-dimensional quantum state ̺ λ x encoding x, • for each i ∈ {0, . . . , N }, an observable M λ i for recovering the i-th bit.
Formally, ̺ λ x and M λ i are d × d Hermitian matrices such that ̺ λ x ≥ 0, Tr̺ λ x = 1, and M λ i ≤ 1 where M λ i denotes the operator norm of M λ i . Note that both ̺ λ x and M λ i depend on the shared random variable λ, meaning that Alice and Bob can coordinate their strategies.
The bias of correctly guessing x i , for a given x and i, is (−1) x i Tr(̺ λ x M λ i )/2. If the average bias of the code is ǫ then E λ E x,i (−1) x i Tr(̺ λ x M λ i ) ≥ 2ǫ. We can rearrange this expression and upper bound each term using its operator norm, and then apply the noncommutative Khintchine inequality [Tom74]: for some constant c. In other words, ǫ ≤ c 2 log d N .
In the particular case we are interested in, d = 2 poly(n) and N = 2 n so ǫ ≤ c 2 poly(n) 2 n , completing the proof.

⊓ ⊔
Equivalence of QCCA1 models. Recall that the IND-QCCA1 notion is based on the security game IndGame defined in Definition 3. In the alternative security game IndGame ′ (see Definition 4), the adversary provides only one plaintext m and must decide if the challenge is an encryption of m or an encryption of a random string. In this section, we prove the following: Proof. Fix a scheme Π. For one direction, suppose Π is IND-QCCA1 and let A be an adversary against IndGame ′ . Define an adversary A 0 against IndGame as follows: (i.) run A until it outputs a challenge plaintext m, (ii.) sample random r and output (m, r), (iii.) run the rest of A and output what it outputs. The output distribution of IndGame ′ (Π, A, n) is then identical to IndGame(Π, A 0 , n), which in turn must be negligibly close to uniform by IND-QCCA1 security of Π.
For the other direction, suppose no adversary can win IndGame ′ with probability better than 1/2, and let B be an adversary against IndGame. Now, define two adversaries B 0 and B 1 against IndGame ′ as follows. The adversary B c does: (i.) run B until it outputs a challenge (m 0 , m 1 ), (ii.) output m c , (iii.) run the rest of B and output what it outputs. Note that the pre-challenge algorithm is identical for B, B 0 , and B 1 ; define random variables M 0 , M 1 and R given by the two challenges and a uniformly random plaintext, respectively. The post-challenge algorithm is also identical for all three adversaries; call it C. The advantage of B over random guessing is then bounded by C(Enc k (M 0 )) − C(Enc k (M 1 )) 1 = C(Enc k (M 0 )) − C(Enc k (M 1 )) − C(Enc k (R)) + C(Enc k (R)) 1 ≤ C(Enc k (M 0 )) − C(Enc k (R)) 1 + C(Enc k (M 1 )) − C(Enc k (R)) 1 ≤ negl(n) , where the last inequality follows from our initial assumption, applied to both B 0 and B 1 . It follows that Π is IND-QCCA1.