Semantic Security and Indistinguishability in the Quantum World

TL;DR

This paper advances quantum encryption security by defining and achieving stronger indistinguishability notions for quantum messages, introducing new security concepts, and providing a classical encryption scheme secure against these enhanced quantum adversaries.

Contribution

It introduces stronger quantum indistinguishability and semantic security notions, and constructs a classical encryption scheme secure under these new definitions.

Findings

Stronger quantum indistinguishability notions are achievable.

Many message-length-preserving ciphers cannot meet these security standards.

A classical encryption scheme secure against these notions is constructed.

Abstract

At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure encryption. They proposed first indistinguishability definitions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achieve a stronger notion. In this work, we show that stronger notions are achievable, where the indistinguishability holds for quantum superpositions of messages. We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetric-key encryption schemes. We justify our stronger definition by showing its equivalence to novel quantum semantic-security notions that we introduce. Furthermore, we show that our new security definitions cannot be achieved by a large class of ciphers -- those which are quasi-preserving the message length. On the other hand, we provide a secure construction based on quantum-resistant pseudorandom permutations; this construction can be used as a generic transformation for turning a large class of encryption schemes into quantum indistinguishable and hence quantum semantically secure ones. Moreover, our construction is the first completely classical encryption scheme shown to be secure against an even stronger notion of indistinguishability, which was previously known to be achievable only by using quantum messages and arbitrary quantum encryption circuits.