Cryptology ePrint Archive: Report 2015/355

Semantic Security and Indistinguishability in the Quantum World

Tommaso Gagliardoni and Andreas Hülsing and Christian Schaffner

Abstract: At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure encryption. They proposed first indistinguishability definitions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achieve a stronger notion. In this work, we show that stronger notions are achievable, where the indistinguishability holds for quantum superpositions of messages. We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetric-key encryption schemes. We justify our stronger definition by showing its equivalence to novel quantum semantic-security notions that we introduce. Furthermore, we show that our new security definitions cannot be achieved by a large class of ciphers -- those which are quasi-preserving the message length. On the other hand, we provide a secure construction based on quantum-resistant pseudorandom permutations; this construction can be used as a generic transformation for turning a large class of encryption schemes into quantum indistinguishable and hence quantum semantically secure ones. Moreover, our construction is the first completely classical encryption scheme shown to be secure against an even stronger notion of indistinguishability, which was previously known to be achievable only by using quantum messages and arbitrary quantum encryption circuits.

Category / Keywords: foundations / quantum, semantic, indistinguishability, symmetric

Original Publication (with minor differences): IACR-CRYPTO-2016

Date: received 20 Apr 2015, last revised 1 Jun 2016

Contact author: tommaso at gagliardoni net

Available format(s): PDF | BibTeX Citation

Version: 20160601:135110 (All versions of this report)

Short URL: ia.cr/2015/355

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]