Paper 2026/846

A Survey on Security Reductions in Post-Quantum Cryptography

Thomas Attema, Netherlands Organisation for Applied Scientific Research, Centrum Wiskunde & Informatica
Ronald Cramer, Centrum Wiskunde & Informatica, Leiden University
Serge Fehr, Centrum Wiskunde & Informatica, Leiden University
Yu-Hsuan Huang, Max Planck Institute for Security and Privacy
Bor de Kock, Netherlands Organisation for Applied Scientific Research
Jana Sotáková, Netherlands Organisation for Applied Scientific Research
Abstract

It is obviously necessary that the security of post-quantum cryptographic schemes is based on computational problems that are hard to solve even with a quantum computer (unlike, e.g., factoring). Examples of such computational problems appear in the theory of lattices or in coding theory. However, this is not sufficient: also the security proof, which comes in the form of an algorithmic reduction that turns any hypothetical attacker into an algorithm that solves the considered hard computational problem, needs to be valid when considering quantum computing as the model of computation. In this work, we provide an overview of the hurdles one typically encounters when proving the security of post-quantum cryptographic schemes, and we elaborate on some of the mathematical techniques that have been developed in order to overcome these hurdles (to some extent). We also discuss the caveat that even when a security proof can be established (by reducing the security to a quantum-hard computational problem), the reduction often suffers from a larger reduction loss, compared to when proving classical security, which negatively affects the concrete security. In the second part of this work, we offer a survey of the respective reduction losses in (1) generic transformations that are often used in the design of cryptographic schemes (like the Fiat-Shamir and Fujisaki-Okamoto transformations), and (2) some concrete cryptographic schemes (with a focus on those standardized by NIST), when considering classical and when considering post-quantum security. Finally, we consider the notion of bit security, the standard measure of the concrete security of a cryptographic scheme (or of the hardness of an underlying computational problem). A natural question is how the bit security is affected by the different reduction losses we encountered. Surprisingly, we observe that a better or worse reduction (in terms of the reduction loss) is not always reflected as such in the bit security. We explain this phenomenon by the fact that the bit security is oblivious to the actual advantage–time function, and instead considers a worst-case behavior of that function. Thus, by exploiting the actual advantage–time function there is potential to get more accurate (i.e., less conservative) estimates for the concrete security.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
PKCPQCPost-Quantum CryptographyQuantumSecurity ProofsSecurity ReductionsProvable Security
Contact author(s)
thomas attema @ tno nl
ronald cramer @ cwi nl
fehr @ cwi nl
yu-hsuan huang @ mpi-sp org
bor dekock @ tno nl
jana sotakova @ tno nl
History
2026-05-05: approved
2026-04-30: received
See all versions
Short URL
https://ia.cr/2026/846
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2026/846,
      author = {Thomas Attema and Ronald Cramer and Serge Fehr and Yu-Hsuan Huang and Bor de Kock and Jana Sotáková},
      title = {A Survey on Security Reductions in Post-Quantum Cryptography},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/846},
      year = {2026},
      url = {https://eprint.iacr.org/2026/846}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.