Uncloneable Decryptors from Quantum Copy-Protection

TL;DR

This paper introduces new security notions and constructions for uncloneable decryptors in the quantum setting, achieving CPA and CCA2 security in the symmetric encryption context.

Contribution

It establishes a connection between copy protection schemes and uncloneable decryptors, introducing flip detection security and strengthening security to CCA2 using digital signatures.

Findings

First to achieve CPA security for uncloneable decryptors in symmetric encryption.

Constructed uncloneable decryptors from copy protection schemes.

Extended security notions for uncloneable decryptors.

Abstract

Uncloneable decryptors are encryption schemes (with classical plaintexts and ciphertexts) with the added functionality of deriving uncloneable quantum states, called decryptors, which could be used to decrypt ciphers without knowledge of the secret key (Georgiou and Zhandry, IACR'20). We study uncloneable decryptors in the computational setting and provide increasingly strong security notions which extend the various indistinguishable security notions of symmetric encryption. We show that CPA secure uncloneable bit decryptors could be instantiated from a copy protection scheme (Aaronson, CCC'09) for any balanced binary function. We introduce a new notion of flip detection security for copy protection schemes inspired by the notions of left or right security for encryption schemes, and show that it could be used to instantiate CPA secure uncloneable decryptors for messages of unrestricted length. We then show how to strengthen the CPA security of uncloneable decryptors to CCA2 security using strong EUF-CMA secure digital signatures. We show that our constructions could be instantiated relative to either the quantum oracle used in [Aar09] or the classical oracle used in (Aaronson et al., CRYPTO'21) to instantiate copy protection schemes. Our constructions are the first to achieve CPA or CCA2 security in the symmetric setting.