Classical Cryptographic Protocols in a Quantum World^{1}
Abstract
Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is the most realistic model of physically feasible computation, then we must ask: what classical protocols remain secure against quantum attackers?
Our main contribution is showing the existence of classical twoparty protocols for the secure evaluation of any polynomialtime function under reasonable computational assumptions (for example, it suffices that the learning with errors problem be hard for quantum polynomial time). Our result shows that the basic twoparty feasibility picture from classical cryptography remains unchanged in a quantum world.
Contents
1 Introduction
Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. Goldreich, Micali and Wigderson [38], building on the development of zeroknowledge (ZK) proof systems [40, 39], showed that SFE protocols exist for any polynomialtime function under mild assumptions (roughly, the existence of secure publickey cryptosystems). Research into the design and analysis of such protocols is now a large subfield of cryptography; it has also driven important advances in more traditional areas of cryptography such as the design of encryption, authentication and signature schemes.
The extensive theory of these protocols, however, deals almost exclusively with classical attackers. However, given our current understanding of physics, quantum information processing is the most realistic model of physically feasible computation. It is natural to ask: what classical protocols remain secure against quantum attackers? In many cases, even adversaries with modest quantum computing capabilities, such as the ability to share and store entangled photon pairs, are not covered by existing proofs of security.
Clearly not all protocols are secure: we can rule out anything based on the computational hardness of factoring, the discrete log [65], or the principal ideal problem [45]. More subtly, the basic techniques used to reason about security may not apply in a quantum setting. For example, some informationtheoretically secure twoprover ZK and commitment protocols are analyzed by viewing the provers as long tables that are fixed before queries are chosen by the verifier; quantum entanglement breaks that analysis and some protocols are insecure against colluding quantum provers (Crépeau et al., [23]).
In the computational realm, rewinding is a key technique for basing the security of a protocol on the hardness of some underlying problem. Rewinding proofs consist of a mental experiment in which the adversary is run multiple times using careful variations of a given input. At first glance, rewinding seems impossible with a quantum adversary since running it multiple times might modify the entanglement between its internal storage and an outside reference system, thus changing the overall system’s behavior.
In a breakthrough paper, Watrous [72] showed that a specific type of zeroknowledge proof (3round, GMWstyle protocols) can be proven secure using a rewinding argument tailored to quantum adversaries. Damgård and Lunemann [24] showed that a similar analysis can be applied to a variant of Blum’s coin flipping protocol. Hallgren et al. [46] showed certain classical transformations from honestverifier to maliciousverifier ZK can be modified to provide security against malicious quantum verifiers. Some informationtheoretically secure classical protocols are also known to resist quantum attacks [20, 7, 32, 68]. Finally, there is a longer line of work on protocols that involve quantum communication, dating back to Bennett and Brassard [8]. Overall, however, little is known about how much of the classical theory can be carried over to quantum settings. See “Related Work”, below, for more detail.
1.1 Our Contributions
Our main contribution is showing the existence of classical twoparty protocols for the secure evaluation of any polynomialtime function under reasonable computational assumptions (for example, it suffices that the learning with errors problem [64] be hard for quantum polynomial time). Our result shows that the basic twoparty feasibility picture from classical cryptography remains unchanged in a quantum world. The only twoparty general SFE protocols which had previously been analyzed in the presence of quantum attackers required quantum computation and communication on the part of the honest participants (e.g. [21, 27]).
In what follows, we distinguish two basic settings: in the standalone setting, protocols are designed to be run in isolation, without other protocols running simultaneously; in network settings, the protocols must remain secure even when the honest participants are running other protocols (or copies of the same protocol) concurrently. Protocols proven secure in the universal composability (UC) model [13] are secure in arbitrary network settings, but UCsecurity is impossible to achieve in many scenarios.
Our contributions can be broken down as follows:
General Modeling of StandAlone Security with Quantum Adversaries. We describe a security model for twoparty protocols in the presence of a quantum attackers. Proving security in this model amounts to showing that a protocol for computing a function behaves indistinguishably from an “ideal” protocol in which is computed by a trusted third party, which we call the ideal functionality . Our model is a quantum analogue of the model of standalone security developed by Canetti [12] in the classical setting. It slightly generalizes the existing model of Damgård et al. [27] in two ways. First, our model allows for protocols in which the ideal functionalities process quantum information (rather than only classical functionalities). Second, it allows for adversaries that take arbitrary quantum advice, and for arbitrary entanglement between honest and malicious players’ inputs. Our model may be viewed as a restriction of the quantum UC model of Unruh [68] to noninteractive distinguishers, and we use that connection in our protocol design (see below). We also discuss possible variants of quantum standalone models and initiate a study on their relationships, which connects to interesting questions in a broad scope.
We show a sequential modular composition theorem for protocols analyzed in our model. Roughly, it states that one can design protocols modularly, treating subprotocols as equivalent to their ideal versions when analyzing security of a highlevel protocol. While the composition result of Damgård et al. [27] allows only for classical highlevel protocols, our result holds for arbitrary quantum protocols.
Classical Zeroknowledge Arguments of Knowledge Secure Against Quantum Adversaries. We construct a classical zeroknowledge argument of knowledge (ZKAoK) protocol that can be proven secure in our standalone model. Our construction is “witnessextendable” (Lindell [50]), meaning that one can simulate an interaction with a malicious prover and simultaneously extract a witness of the statement whenever the prover succeeds. Our security proof overcomes a limitation of the previous construction of (twoparty) quantum proofs of knowledge (Unruh [70]), which did not have a simulator for malicious provers. Such a simulator is important since it allows one to analyze security when using a proof of knowledge as a subprotocol. As in the classical case, our ZKAoK protocol is an important building block in designing general SFE protocols.
The main idea behind our construction is to have the prover and verifier first execute a weak coinflipping protocol to generate a public key for a special type of encryption scheme. The prover encrypts his witness with respect to this public key and proves consistency of his ciphertext with the statement using the ZK protocols analyzed by Watrous [72]. A simulator playing the role of the verifier can manipulate the coinflipping phase to generate a public key for which she knows the secret key, thus allowing her to extract the witness without needing to rewind the prover. A simulator playing the role of the prover, on the other hand, cannot control the coin flip (to our knowledge) but can ensure that the public key is nearly random. If the encryption scheme satisfies additional properties (that can be realized under widely used latticetype assumptions), we show that the verifier’s view can nonetheless be faithfully simulated.
Classical UC Protocols in a Quantum Context: Towards Unruh’s Conjecture. We show that a large class of protocols which are UCsecure against computationally bounded classical adversaries are also UCsecure against quantum adversaries. Unruh [68] showed that any classical protocol which is proven UCsecure against unbounded classical adversaries is also UCsecure against unbounded quantum adversaries. He conjectured (roughly, see [68] for the exact statement) that classical arguments of computational UC security should also go through as long as the underlying computational primitives are not easily breakable by quantum computers.
We provide support for this conjecture by describing a family of
classical security arguments that go through verbatim with quantum
adversaries. We call these arguments “simple hybrid arguments”.
They use rewinding neither in the simulation nor in any of the steps
that show the correctness of simulation.
Our observation allows us to port a general result of Canetti et al. [15] to the quantum setting. We obtain the following: in the hybrid model, where a trusted party implementing ZKAoK is available, there exist classical protocols for the evaluation of any polynomialtime function that are UCsecure against quantum adversaries under reasonable computational assumptions. As an immediate corollary, we get a classical protocol that quantumUC emulates the ideal functionality for coinflipping, assuming UCsecure ZK.
New Classical UC Protocols Secure Against Quantum Attacks. We construct new twoparty protocols that are UCsecure against quantum adversaries. Adapting ideas from Lindell [50], we show a constantround classical coinflipping protocol from ZK (i.e. in hybrid model). Note that the general feasibility result from above already implies the existence of a quantumUC secure coinflipping protocol, but it needs polynomially many rounds. Conversely, we can also construct a constantround classical protocol for ZKAoK that is UCsecure against quantum adversaries, assuming a trusted party implementing coinflipping, i.e. in the hybrid model (essentially equivalent to the common reference string model, where all participants have access to a common, uniformly distributed bit string). This establishes the equivalence between and in the quantum UC model, which may be of independent interest, e.g., in simplifying protocol designs. It has also motivated a subsequent work by Fehr et el. [34] where they showed interesting connections between ideal functionalities in the quantumUC model in a systematic way.
Implications. The modular composition theorem in our standalone model allows us to get the general feasibility result below by combining our standalone ZKAoK protocol and the UCsecure protocols in hybrid model:
Under standard assumptions, there exist classical SFE protocols in the plain model (without a shared random string) which are standalonesecure against static quantum adversaries. This parallels the classic result of Goldreich, Micali and Wigderson [38].
The equivalence of zeroknowledge and coinflipping functionalities in the UC model also has interesting implications. First, the availability of a common reference string (CRS) suffices for implementing quantumUC secure protocols. Secondly, given our standalone ZKAoK protocol, we get a quantum standalone coinflipping protocol.
Independently of our work, Lunemann and Nielsen [54], via a different route, also showed the existence of classical twoparty SFE protocols secure against quantum attacks. See the discussion at the end of “Related Work”.
1.2 Related work
In addition to the previous work mentioned above, we expand here on three categories of related efforts.
Composition Frameworks for Quantum Protocols. Systematic investigations of the composition properties of quantum protocols are relatively recent. Canetti’s UC framework and Pfitzmann and Waidner’s closely related reactive functionality framework were extended to the world of quantum protocols and adversaries by BenOr and Mayers [5] and Unruh [67, 68]. These frameworks (which share similar semantics) provide extremely strong guarantees—security in arbitrary network environments. They were used to analyze a number of unconditionally secure quantum protocols (key exchange [6] and multiparty computation with honest majorities [7]). However, many protocols are not universally composable, and Canetti [13] showed that classical protocols cannot UCsecurely realize even basic tasks such as commitment and zeroknowledge proofs without some additional setup assumptions such as a CRS or publickey infrastructure.
Damgård et al.[27], building on work by Fehr and Schaffner [32], proposed a general composition framework which applies only to secure quantum protocols of a particular form (where quantum communication occurs only at the lowest levels of the modular composition). As noted earlier, our model is more general and captures both classical and quantum protocols. Recently, Maurer and Renner proposed a new composable framework called Abstract Cryptography [55], and it has been adapted to analyzing quantum protocols as well [29].
Analyses of Quantum Protocols. The first careful proofs of security of quantum protocols were for key exchange (Mayers [57], Lo and Chau [53], Shor and Preskill [66], Beaver [2]). Research on quantum protocols for twoparty tasks such as coinflipping, bit commitment and oblivious transfer dates back farther [11, 9], though some initially proposed protocols were insecure [57]. The first proofs of security of such protocols were based on computational assumptions [28, 21]. They were highly protocolspecific and it was not known how well the protocols composed. The first proofs of security using the simulation paradigm were for informationtheoreticallysecure protocols for multiparty computations assuming a strict majority of honest participants [20, 22, 7]. More recently, Dupuis et al. [30, 31] constructed twoparty quantum protocols for evaluating arbitrary unitary operations, which they proved secure under reasonable computational assumptions in a simulationbased definition similar to what we propose in this work. There was also a line of work on the bounded quantum storage model [26, 25, 32, 69] developed tools for reasoning about specific types of composition of twoparty protocols, under assumptions on the size of the adversary’s quantum storage. Many tools have been developed in recent years on modeling and analyzing composable security for protocols of deviceindependent quantum keyexchange and randomness expansion [33, 71, 58, 18].
StraightLine Simulators and CodeBased Games. As mentioned above, we introduce “simple hybrid arguments” to capture a class of straightforward security analyses that go through against quantum adversaries. Several formalisms have been introduced in the past to capture classes of “simple” security arguments. To our knowledge, none of them is automatically compatible with quantum adversaries. For example, straightline blackbox simulators [49] do not rewind the adversary nor use an explicit description of its random coins; however, it may be the case that rewinding is necessary to prove that the straightline simulator is actually correct. In a different vein, the codebased games of Bellare and Rogaway [4] capture a class of hybrid arguments that can be encoded in a clean formal language; again, however, the arguments concerning each step of the hybrid may still require rewinding.
Independent Work. Lunemann and Nielsen [54] independently obtained similar results to the ones described here, via a slightly different route. Specifically, they start by constructing a standalone coinflipping protocol that is fully simulatable against quantum polytime adversaries. Then they use the coinflipping protocol to construct a standalone ZKAoK protocol, and finally by plugging into the GMW construction, they get quantum standalonesecure twoparty SFE protocols as well. The computational assumptions in the two works are similar and the round complexities of the standalone SFE protocols are both polynomial in the security parameter. Our approach to composition is more general, however, leading to results that also apply (in part) to the UC model.
1.3 Future Directions
Our work suggests a number of straightforward conjectures. For example, it is likely that our techniques in fact apply to all the results in CLOS (multiparty, adaptive adversaries) and to corresponding results in the “generalized” UC model [16]. Essentially all protocols in the semihonest model seem to fit the simple hybrids framework, in particular protocols based on Yao’s garbledcircuits framework (e.g. [3]). It is also likely that existing proofs in security models which allow superpolynomial simulation (e.g., [62, 63, 1]) will carry through using a similar line of argument to the one here.
However, our work leaves open some basic questions: for example, can we construct constantround ZK with negligible completeness and soundness errors against quantum verifiers? Watrous’s technique does not immediately answer it since sequential repetition seems necessary in his construction to reduce the soundness error. A quick look at classical constantround ZK (e.g., [35]) suggests that witnessindistinguishable proofs of knowledge are helpful. Is it possible to construct constantround witnessextendable WI proofs of knowledge? Do our analyses apply to extensions of the UC framework, such the generalized UC framework of Canetti et al. [16]? Finally, more generally, which other uses of rewinding can be adapted to quantum adversaries? Aside from the original work by Watrous [72], Damgård and Lunemann [24] and Unruh [70] have shown examples of such adaption.
Organization. The rest of the paper is organized as follows: Section 2 reviews basic notations and definitions. In Section 3, we propose our quantum standalone security model. We show our main result in Section 4. Specifically, Section 4.1 establishes quantumUC secure protocols in hybrid model. A quantum standalonesecure ZKAoK protocol is developed in Section 4.2. Finally in Section 5, we discuss equivalence of and .
2 Preliminaries
For , denotes the set . We use to denote a security parameter. The security parameter, represented in unary, is an implicit input to all cryptographic algorithms; we omit it when it is clear from the context. Quantities derived from protocols or algorithms (probabilities, running times, etc.) should be thought of as functions of , unless otherwise specified. A function is said to be negligible if for any constant , and is used to denote an unspecified function that is negligible in . We also use to denote an unspecified function for some constant . When is a probability distribution, the notation indicates that is a sample drawn according to . When is a finite set, we implicitly associate with it the uniform distribution over the set. If is a probabilistic algorithm, denotes the distribution over the output of corresponding to input . We will sometimes use the same symbol for a random variable and for its probability distribution when the meaning is clear from the context. Let and be two ensembles of binary random variables. We call indistinguishable, denoted , if .
We assume the reader is familiar with the basic concepts of quantum information theory (see, e.g., [61]). We use a sans serif letter (e.g. ) to denote both a quantum register and the corresponding Hilbert space. We use if we want to be specific about the security parameter. Let denote the space for qubits. Let be the set of density operators acting on space and be the set of linear operators from space to .
Quantum Machine Model. We adapt Unruh’s machine model in [68] with minor changes. A quantum interactive machine (QIM) is an ensemble of interactive circuits . The index set is typically the natural numbers or a set of strings (or both). We give our description here with respect to . For each value of the security parameter, consists of a sequence of circuits , where defines the operation of in one round and is the number of rounds for which operates (we assume for simplicity that depends only on ). We omit the scripts when they are clear from the context or are not essential for the discussion. Machine (or rather each of the circuits that it comprises) operates on three registers: a state register used for input and workspace; an output register ; and a network register for communicating with other machines. The size (or running time) of is the sum of the sizes of the circuits . We say a machine is polynomial time if and there is a deterministic classical Turing machine that computes the description of in polynomial time on input .
When two QIMs and interact, they share network register . The circuits and are executed alternately for . When three or more machines interact, the machines may share different parts of their network registers (for example, a private channel consists of a register shared between only two machines; a broadcast channel is a register shared by all machines). The order in which machines are activated may be either specified in advance (as in a synchronous network) or adversarially controlled.
A noninteractive quantum machine (referred to as QTM hereafter) is a QIM with network register empty and it runs for only one round (for all ). This is equivalent to the quantum Turing machine model (see [73]).
A classical interactive Turing machine is a special case of a QIM, where the registers only store classical strings and all circuits are classical. This is also called an interactive Turing machine (ITM) with advice (Canetti [12, 13]).
Indistinguishability of Quantum States. Let and be ensembles of mixed states indexed by , where and are both qubit states for some polynomially bounded function . We first define a somewhat weak notion of indistinguishability of quantum state ensembles.
Definition 1 (weakly indistinguishable states).
We say two quantum state ensembles and are weakly indistinguishable, denoted , if for every time QTM ,
The states and are called weakly computationally indistinguishable, denoted , if for every polynomial , there exists a negligible such that and are weakly computationally indistinguishable.
A stronger notion of indistinguishability of quantum states was proposed by Watrous [72, Definition 2]. The crucial distinction is that a distinguisher is allowed to take quantum advice.
Definition 2 (indistinguishable states).
We say two quantum state ensembles and are indistinguishable, denoted , if for every time QTM and any mixed state ,
The states and are called quantum computationally indistinguishable, denoted , if for every polynomial , there exists a negligible such that and are indistinguishable.
The two definitions above subsume classical distributions as a special case, since classical distributions can be represented by density matrices that are diagonal with respect to the standard basis.
Indistinguishability of Quantum Machines. Now we introduce the notion of distinguishing two QTMs.
Definition 3 (indistinguishable QTMs).
We say two QTMs and are indistinguishable, denoted , if for any time QTM and any mixed state , where is an arbitrary reference system,
Machines and are called quantum computationally indistinguishable, denoted , if for every polynomial , there exists a negligible such that and are computationally indistinguishable.
This definition is equivalent to quantum computationally indistinguishable superoperators proposed by Watrous [72, Definition 6]. If we do not restrict the running time of the distinguisher, we obtain a statistical notion of indistinguishability. Let be the trace distance between density operators.
Definition 4 (indistinguishable QTMs in diamond norm).
We say two QTMs and are indistinguishable in diamond norm, denoted , if for any , being an arbitrary reference system,
QIMs and are said to be indistinguishable in diamond norm, denoted , if there exists a negligible such that and are indistinguishable in diamond norm.
Indistinguishability of QIMs. Next, we generalize the definitions of indistinguishability above to interactive quantum machines. Let and be two QIMs, we denote as the following process: machine is initialized with , it then provides input to and interacts with . In the end, the output register of is given to and generates one classical bit on its own output register.
Definition 5 (indistinguishable QIMs).
We say two QIMs and are interactively indistinguishable, denoted , if for any quantum time interactive machine and any mixed state on qubits,
QIMs and are called quantum computationally interactively indistinguishable, denoted , if for every , there exists a negligible such that and are interactively indistinguishable.
We may call such an interactive distinguisher. We can likewise define statistically interactively indistinguishable QIMs, denoted , if we allow unbounded interactive distinguisher .
Remark 1.
Quantum interactive machines, as we defined earlier, actually can be seen as a subset of quantum strategies, formulated in [44]. Namely, a QIM is a strategy in which each channel can be implemented by a uniformly generated circuit. Therefore we can as well define statistically interactively indistinguishability using the norm for quantum strategies. See Gutoski [42] and Chiribella et al. [17] for details about characterizing distinguishability of quantum strategies using the norm.
Ideal functionalities. We sketch ideal functionalities, i.e., the programs of a trusted party in an ideal protocol, for a few basic cryptographic tasks.
Commitment : At “Commit” stage, Alice (the committer) inputs a bit and Bob (the receiver) receives from a notification that a bit was committed. At “Open” stage, Alice can input the command open to who then sends Bob .
Oblivious Transfer : Alice (the sender) inputs bits and Bob (the receiver) inputs a selection bit . Bob receives from .
Zeroknowledge : Let be an NP relation. Upon receiving from Alice, verifies . If yes, it sends to Bob; otherwise it instructs Bob to reject.
Coin Flipping : Alice and Bob input the request to , and randomly chooses and sends it to Alice. Alice responds with “acc” or “rej” indicating continuing or aborting respectively. In the case of “acc”, sends to Bob and otherwise sends Bob . Note the functionality is asymmetric in the sense that Alice gets the coins first. This avoids the complicated issue about fairness, which has been an active line of research in classical cryptography (see for example [19, 48, 59, 41]) and is beyond the scope of this paper.
3 Modeling Security in the Presence of Quantum Attacks
In this section, we propose a standalone security model for twoparty protocols in the presence of quantum attacks and show a modular composition theorem in this model, which allows us to use secure protocols as ideal building blocks to construct larger protocols. We also discuss variants of our standalone model in a unified framework. To be selfcontained, we review in Section 3.2 the quantum universalcomposable (UC) security model, which is a generalization of classical UC model to the quantum setting.
3.1 A General Quantum StandAlone Security Model
Our model follows the realworld/idealworld simulation paradigm. It proceeds in three highlevel steps: (i) Formalizing the process of executing a protocol in the presence of adversarial activities. (ii) Formalizing an idealworld protocol for realizing the desired task. This is an (imaginary) idealized protocol which captures the security guarantees we want to achieve. (iii) Finally we say a (realworld) protocol realizes a task securely if it “behaves similarly” to the idealworld protocol for that task (Definition 3). “Behaving similarly” is formalized by the notion of standalone emulation between protocols (Definition 1, 2).
Our definition can be viewed in two ways: either as a quantum analogue
of Canetti’s classical standalone model [12] or as a relaxed
notion of (a variant of) Unruh’s quantum UC
security [68]. Prior to our work, standalone security
definitions for quantum attacks were largely developed ad
hoc
The Model
We describe our model for the twoparty setting; it is straightforward to extend to multiparty setting. We first introduce a few important objects in our model. We formalize a cryptographic task by an interactive machine called a functionality. It contains the instructions to realize the task, and we usually denote it by or . While our model applies to both classical and quantum functionalities, our focus in this work will be efficient classical functionalities. Namely is a classical probabilistic polynomialtime machine. A twoparty protocol for a task consists of a pair of interactive machines . We call a protocol polytime if are both polytime machines. We typically use Greek letters (e.g., ) to denote protocols. If we want to emphasize that a protocol is classical, i.e., computation and all messages exchanged are classical, we then use lowercase letters (e.g., ). Finally, an adversary, usually denoted or , is another interactive machine that intends to attack a protocol. Very often we abuse notation and do not distinguish a machine and the player that runs the machine. This should not cause any confusion.
Protocol Execution. We consider executing a protocol in the presence of an adversary . Their state registers are initialized by a secure parameter and a joint quantum state . Adversary gets activated first and coordinates the execution. Specifically, the operations of each party are:

Adversary : it may either deliver a message to some party or corrupt a party. Delivering a message is simply instructing the designated party (i.e., the receiver) to read the proper segment of his network register. We assume all registers are authenticated so that cannot modify them and in particular if the register is private to the party, may not read the content. Other than that, can for example schedule the messages to be delivered in any arbitrary way. If corrupts a party, the party passes all of its internal state to and follows the instructions of . In the twoparty setting, corrupting a party can be simply thought of as substituting the machine of for the machine of the corrupted party.

Parties in : once a party receives a message from , it gets activated and runs its machine. At the end of one round, some message is generated on the network register. Adversary is activated again and controls message delivery. At some round, the party generates some output and terminates.
Clearly, we can view and as a whole and model the composed system as another QIM, call it . Then executing in the presence of is just running on some input state, which may be entangled with a reference system that will be handed to the distighuisher.
Protocol Emulation. As indicated earlier, a secure protocol is supposed to “emulate” an idealized protocol. Here we formally define emulation between protocols. Let and be two protocols. Let be the composed machine of and an adversary , and be that of and another adversary . Informally, emulates if the two machines and are indistinguishable.
Definition 1 (Computationally QuantumStandAlone Emulation).
Let and be two polytime protocols. We say computationally quantumstandalone (CQSA) emulates , if for any polytime QIM there exists a polytime QIM such that
Definition 2 (Statistically QuantumStandAlone Emulation).
Let and be two polytime protocols. We say statistically quantumstandalone (SQSA) emulates , if for any QIM there exists an QIM that runs in polytime of that of , such that .
Remark 2.
Idealworld Protocol and Secure Realization of a Functionality. We formalized protocol emulation in a general form which applies to any two protocols. But it is of particular interest to emulate a special type of protocol which captures the security guarantees we want to achieve. We formalize the socalled idealworld protocol for a functionality . In this protocol, two (dummy) parties and have access to an additional “trusted” party that implements . We may abuse notation and call the trusted party too. Basically and invoke with their inputs, and then runs on the inputs and sends the respective outputs back to and . An execution of with an adversary is similar to our prior description for executing a (realworld) protocol, except that cannot be corrupted. Likewise, we denote the composed machine of and as . We state the definition in the computational setting; statistical emulation is defined analogously.
Definition 3 (CQsa Realization of a Functionality).
Let be a polytime twoparty functionality and be a polytime twoparty protocol. We say computationally quantumstandalone realizes , if CQSA emulates . Namely, for any polytime , there is a polytime such that .
It is conventional to use to denote the binary output distribution ensemble of that runs on the output state of an execution of and with input . Likewise, denotes the binary output distribution ensemble of in an execution of the idealworld protocol . Definition 3 can be restated as requiring that for any polytime there exists a polytime such that, for any polytime and state , we have
Types of Attack. Typically, we need to speak of security against a specific class of adversaries. We have distinguished two classes of adversaries according to their computational complexity, i.e., polytime vs. unbounded time. We also categorize adversaries according to how they corrupt the parties and how they deviate from the honest behavior defined by the protocol. The standard two types of corruptions considered in the literature are static vs. adaptive corruptions. Under static corruption, the identities of corrupted parties are determined before protocol starts. In contrast, adaptive corruption allows an adversary to change the party to corrupt adaptively during the execution. This work only concerns static corruption.
In terms of what dishonest behaviors are permitted for an adversary, again two classes are considered standard in the literature: semihonest (a.k.a. passive or honestbutcurious) and malicious (a.k.a. active). A semihonest adversary, after corrupting a party, still follows the party’s circuit, except that in the end it processes the output and the state of the party. A malicious adversary, however, can substitute any circuit for the corrupted party. In the definitions of the protocol emulation, unless otherwise specified, the two adversaries in the realworld and idealworld must belong to the same class. For example, if is semihonest, must also be semihonest.
These notions of different classes of adversaries naturally extend to quantum adversaries, except for one subtlety in defining semihonest quantum adversaries. There are two possible definitions. One definition, which may be referred to as the LoChauMayers semihonest model [52, 56], allows to run the circuit of the corrupted party, which is specified by the protocol, coherently. Namely purifies the circuit of corrupted party so that all operations are unitary. For example, instead of measuring a quantum state, the register is “copied” by a CNOT operation to an ancillary register. Another definition forces the adversary to exactly faithfully follow the corrupted party’s circuit during the protocol execution, so that any quantum measurement occurs instantaneously and possibly destructively. In other words, in the second model, a semihonest quantum adversary only corrupts a party at the end of the protocol execution, and then processes the internal state and transcript that the corrupted party holds. This second model is generally weaker than the first, in the sense that the adversary is more restricted. In this paper, we focus on the second of these two notions.
Modular Composition Theorem
It is common practice in the design of large protocols to divide a task into several subtasks. We first realize each subtask, and then use these modules as building blocks (subroutines) to realize the initial task. In this section, we show that our definition allows such modular design.
Composition Operation. Let be a protocol that uses another protocol as a subroutine, and let be a protocol that QSA emulates . We define the composed protocol, denoted , to be the protocol in which each invocation of is replaced by an invocation of . We allow multiple calls to a subroutine and also using multiple subroutines in a protocol . However, we require that at any point, only one subroutine call be in progress; that is, we handle sequential composition. This is weaker than the “network” setting, where many instances and subroutines may be executed concurrently.
We can show that our quantum standalone model admits a modular composition theorem.
Theorem 4 (Modular Composition: General Statement).
Let , and be twoparty protocols such that CQSA (resp. SQSA) emulates , then CQSA (resp. SQSA) emulates .
The proof can be found in Appendix A. Here we discuss an important type of protocol where the composition theorem is especially useful.
Protocols in a Hybrid Model. We next define a hybrid
model, in which the parties can make calls to an idealworld protocol
of some functionality
Now assume that we have a protocol that realizes and we have designed a hybrid protocol realizing another functionality . Then the composition theorem allows us to treat subprotocols as equivalent to their ideal versions when analyzing security of a highlevel protocol.
Corollary 5 (Modular Composition: Realizing Functionalities).
Let and be polytime functionalities. Let be a hybrid protocol that CQSA (resp. SQSA) realizes , and be a protocol that CQSA (resp. SQSA) realizes , then CQSA (resp. SQSA) realizes .
Variants of Quantum StandAlone Models: A Unified Framework
When defining a security model, there are lots of choices qualifying and quantifying the power of the adversaries to account for various security requirements. Here we provide an abstract standalone model for both classical and quantum cryptographic protocols, illustrated in Figure 4, which contains three natural choices for the adversaries which we think are essential. This abstract model captures all existing standalone security models (including ours) and this allows for a unified study of, and comparison among, these models. The relationship between these models may be interesting beyond the study of SFE.
The model contains an environment and a protocol. Depending on whether the protocol is in real or ideal world, we have the honest party, the (realor idealworld) adversary and possibly the trusted party. Here we think of the environment as two separate machines: , which we may call an input sampler, prepares inputs to the players; and that receives outputs and makes the decision. Now we consider the following choices:

Does , the input sampler, have a quantum advice ? In other words, do we allow arbitrary input states or only states that can be generated efficiently?

Does , which is essentially a distinguisher, take quantum advice ?

Does pass a state to ? Namely, does the environment keep state during the execution?
Notice that positive answers potentially give more power to the adversaries and thus provides stronger security guarantee. Also note that all machines are always allowed to take classical advice. We may denote a security model as where the subscripts are from indicating each of the choices made for the model. For example corresponds to the model that gets quantum advice; takes no quantum advice and passes state to –this exactly leads to our model in Def. 1. Similarly, is the model where and both take quantum advice, and there is state passing from to .
We say two models and are equivalent if for any two protocols and , it holds that emulates in if and only if emulates in . It is conceivable that some of the combinations collapse to the same model. For example, if all players are classical circuits, then all eight models collapse. This is because classical (nonuniform) machines can only measure a quantum state in computational basis to obtain a classical string from a certain distribution. But a classical circuit can be hardwired with any classical string, and so (quantum) advice gives no extra power to a classical circuit. Passing state likewise becomes vacuous.
When we consider an adversary and environment consisting of quantum circuits, the situation becomes generally more complicated. We can observe that choice (b) becomes irrelevant once we permit arbitrary input state and state passing (i.e., ). We conjecture that state passing makes no difference either. If this is indeed true, then all the variants collapse when takes quantum advice. On the other hand, if takes no advice (i.e. only efficiently generated input states are allowed), we are left with two variants and . The relationship between these two models is closely related to the fundamental question in quantum complexity theory regarding . We leave further investigations as future work. In Appendix B, we discuss another variant that appears in the literature [27, 32], in which may only generate input states of a special form. We show that this does not change the model in the case that takes quantum advice.
3.2 Quantum UC Model: An Overview
So far, our security model falls into the standalone setting, where protocols are assumed to be executed in isolation. However, in practice we often encounter a network setting, where many protocols are running concurrently. A protocol proven secure according to a standalone security definition ensures nothing if we run it in a network environment. In view of this issue, Canetti [13] proposed the (classical) Universally Composable (UC) security model. It differs from the standalone definition of security in that the environment is allowed to be
interactive: during the execution of the protocol, the
environment may provide inputs and receive the outputs of the honest
players, and exchange arbitrary messages with the adversary. In
contrast, the environment in the standalone model runs only at the
end of the protocol execution (and, implicitly, before the protocol
starts, to prepare the inputs to all parties). UCsecure protocols
enjoy a property called general (or universal)
composition
Earlier work on defining UC security and proving universal composition in the quantum setting appears in [5, 67]. We will adapt the somewhat simpler formalism of Unruh [68].
Modulo a small change in Unruh’s model (quantum advice, discussed below), our standalone model is exactly the restriction of Unruh’s model to a noninteractive environment, that is one which is idle from the start to the finish of the protocol. The only apparent difference is that in the UC model, the environment runs for some time before the protocol starts to prepare inputs, while in Section 3.1 we simply quantify over all joint states of the honest players’ and adversary’s inputs. This difference is only cosmetic, though: the state can be taken to be the joint state of the outputs and internal memory of the environment at the time the protocol begins.
We make one change to Unruh’s model in order to be consistent with our earlier definitions and the work of Watrous on zeroknowledge [72]: we allow the environment to take quantum advice, rather than only classical advice. In the language of [68, p. 11], we change the initialization phase of a network execution to create a state which equals the classical string in (instead of ), and an arbitrary state in (instead of ). Here denotes the empty string. Moreover, we change the definition of indistinguishable networks [68, p. 12] to quantify over all states instead of all classical strings . This change is not significant for statistical security, since an unbounded adversary may reconstruct a quantum advice state from a (exponentially long) classical description. However, it may be significant for polynomialtime adversaries: it is not known how much quantum advice affects the power of, say BQP, relative to classical advice. For completeness, we state this modified definition of quantum UC security below.
Definition 6 (Computationally QuantumUC Emulation).
Let and be twoparty protocols. We say computationally quantumUC (CQUC) emulates , if for any polytime QIM , there is a polytime QIM such that (as per Def. 5).
Here (and likewise) denotes the composed system of and , which can be viewed as a QIM. Its network register consists of part of the adversary’s network register, and is used for external communication with another party (e.g., an environment). Alternatively, define and . We can rephrase the condition as “for any polytime QIM , there is a polytime QIM , such that for any polytime QIM , .”
If we allow and to be unbounded machines, i.e., we require that , then we get the notion of statistically quantumUC (SQUC) emulation. As suggested in [43], we can also use the norm on strategies to define it. Namely, we require that for any there exists such that .
General (Concurrent) Composition. The most striking feature of
UC model is that it admits a very general form of composition,
concurrent composition
Our modifications of Unruh’s definition do not affect the validity of the universal composition theorem:
Theorem 7 (Quantum UC Composition Theorem (Unruh [68])).
Let and be polytime protocols. Assume that quantumUC emulates . Then quantumUC emulates .
There is another useful property that simplifies the proof of UC emulation. In both classical and quantum UC models, it suffices to consider a special adversary, which is called the dummy adversary . The dummy adversary just forwards messages between a protocol and an environment and leaves any further processing to the environment. Here we only restate the completeness of dummy adversary in the quantum setting:
Theorem 8 (Completeness of the dummy adversary (Unruh [68, Lemma 12])).
Assume that quantumUC emulates with respect to the dummy adversary (i.e., instead of quantifying over all adversaries, we fix ). Then quantumUC emulates . This holds both for computational and statistical settings.
4 Classical Protocols with Quantum Security
This section studies what classical protocols remain secure against quantum attacks in the computational setting. Let be a classical twoparty polytime functionality. For technical reasons, needs to be wellformed. See [13, 15] for a formal definition and discussions. Throughout this paper, we only consider wellformed functionalities as well. Classically, there are two important families of secure protocols:

Standalone secure computation [38]: Assuming the existence of enhanced trapdoor permutations, there exists polytime protocols that computationally standalone emulates .

Universalcomposable secure computation [15]: Assuming the existence of enhanced trapdoor permutations, there exists protocols in the hybrid model that computationally UC emulates .
Our main result shows that these general feasibility results largely remain unchanged against quantum attacks:
Theorem (Informal).
For any classical twoparty functionality , there exists a classical protocol that quantum computationally standalone emulates , under suitable quantumresistant computational assumptions.
The proof of the theorem can be broken into two parts. First we show a quantum analogue of [15] in Section 4.1. Namely, there exist functionalities, such as , that are as powerful as to realizing any other functionalities based on them, even with respect to computationally quantumUC security. To achieve this, we develop a framework called simple hybrid arguments in Sect 4.1.1 to capture a large family of classical security analyses that go through against quantum adversaries. As a result, it amounts to design a (standalone) secure protocol for , which is the content of Section 4.2. We stress that security of existing protocols for relies on a sophisticated rewinding argument, and it is not clear if the arguments are still valid against quantum adversaries. Hence we need new ideas to get around this difficulty.
4.1 Basing Quantum UC Secure Computation on
We show here that is sufficient for UC secure computation of any twoparty functionality against any computational bounded quantum adversaries. That is, for any wellformed functionalities , there exists an hybrid protocol that CQUC emulates . We stress that these protocols are all classical, which can be implemented efficiently with classical communication and computation devices.
Theorem 1.
Assumption 1.
There exists a classical pseudorandom generator secure against any polytime quantum distinguisher.
Based on this assumption and the construction of [60], we can obtain a statistically binding and quantum computationally hiding commitment scheme . All commitment schemes we use afterwards refer to this one. This assumption also suffices for Watrous’s ZK proof system for any NPlanguage against quantum attacks.
Assumption 2.
There exists a dense classical publickey cryptosystem that is INDCPA (chosenplaintext attack) secure against quantum distinguishers.
A publickey cryptosystem is dense if a valid public key is indistinguishable in quantum polytime from a uniformly random string of the same length. Although it is likely that standard reductions would show that Assumption 2 implies Assumption 1, we chose to keep the assumptions separate because the instantiation one would normally use of the pseudorandom generator would not be related to the publickey system (instead, it would typically be based on a symmetrickey block or stream cipher). Both assumptions hold, for instance, assuming the hardness of leaning with errors (LWE) problem [64].
Simple Hybrid Argument.
Our analysis is based on a new abstraction called a simple hybrid argument (SHA). It captures a family of classical security arguments in the UC model which remains valid in the quantum setting (as long as the underlying primitives are secure against quantum adversaries).
Definition 2 (Simply related machines).
We say two QIMs and are simply related if there is a time QTM and a pair of classical distributions such that

(for two QIMs and , we say if the two machines behave identically on all inputs, that is, if they can be described by the same circuits),

, and

.
Example 1.
Figure 5 illustrates a pair of simply related machines.
Lemma 3.
If two machines and are simply related, then , i.e., they are interactively indistinguishable (as per Definition 5).
Proof.
By definition, and . If there is a with quantum advice that distinguishes and with advantage in time , we can construct a time distinguisher for and with advantage as well. This contradicts . Distinguisher works by taking an input sample from either or , simulates , and outputs whatever outputs. Obviously, runs in time at most and distinguishes and with the same advantage that distinguishes and . Thus we conclude for any time environment . ∎
Definition 4 (Simple hybrid argument).
Two machines and are related by a simple hybrid argument of length if there is a sequence of intermediate machines such that each adjacent pair of machines, , is simply related.
Lemma 5.
For any and , if two machines are related by a simple hybrid argument of length , then the machines are interactively indistinguishable.
Proof.
This is by a standard hybrid argument. Suppose, for contradiction, there exists a time machine with advice such that
Then by triangle inequality we can infer that there must exist some such that
However, by assumption and are (simply related and in particular no time machines can distinguish them with advantage greater than . ∎
Lifting CLOS to Quantum UC Security.
Now we apply our simple hybrid argument framework to analyze the protocol in CLOS. We first review the structure of the construction of CLOS in the static setting:

Let be a twoparty functionality. Design a protocol that computationally (classical) UC (CCUC) emulates against semihonest adversaries. The protocol uses a semihonest oblivious transfer (ShOT) protocol, which can be constructed assuming existence of enhanced trapdoor permutations.

Let be the “commitandprove” functionality of [15, Figure 8]. A protocol is constructed in hybrid model that CCUC emulates , assuming existence of a statistically binding and computationally hiding commitment scheme. Such a commitment scheme in turn can be constructed from a pseudorandom generator [60].

In hybrid model, a generic complier is designed. Let be the hybrid protocol after compilation. It is shown in [15, Proposition 8.1] that: for every classical adversary , there exists a classical adversary with running time polynomial in that of such that . That is, the interaction of with honest players running is identical to the interaction of with in the semihonest model, i.e., .
It then follows that, by the UC composition theorem, CCUC emulates in the hybrid model.
We then show how to make the construction secure against quantum adversaries using proper quantumresistant assumptions. The key observation is that the security proofs of the semihonest protocol and of the protocol in the hybrid model fall into our simple hybrid argument framework. Thus once we augment the computational assumptions to be quantumresistant, they immediately become secure against quantum adversaries. This is stated more precisely below.
Observation 6 (CLOS proof structure).
In CLOS, the security proofs for the semihonest protocol and the protocol for in hybrid model against static adversaries consist of simple hybrid arguments with and .
Moreover, the underlying indistinguishable distributions in the CLOS arguments consist of either (i) switching between a real public key and a uniformly random string, (ii) changing the plaintext of an encryption, or (iii) changing the message in the commit phase of a commitment protocol.
From this observation, we get the corollary below.
Corollary 7 (CLOS—simple hybrids).

In the hybrid model and under Assumption 1, there is a nontrivial protocol that UCemulates in the presence of polynomialtime malicious static quantum adversaries.

Let be a wellformed twoparty functionality. In the plain model, there is a protocol that UCemulates in the presence of polynomialtime semihonest static quantum adversaries under Assumption 2.
Proof.
Observation 6 tells us there are two types of proofs in CLOS, so we only have to show both can be augmented to hold against quantum adversaries. On the one hand, simple hybrid arguments in CLOS still hold if we make assumptions 1 and 2, because the underlying distributions in these hybrid experiments will remain indistinguishable against quantum distinguishers. On the other hand, we know quantum UC composition also holds by Theorem 7.
More specifically, for the protocol in hybrid model, the simply hybrid machines in its proof are related by switching the messages being committed. Hence protocol remains secure against malicious static quantum adversaries under Assumption 1. In the semihonest setting, an OT protocol can be constructed from a dense cryptosystem (Assumption 2), see Goldreich [37]. Its proof consists of simply related machines that are related by either switching between a valid public key and a random string (when sender is corrupted) or switching the plaintext of an encryption (when receiver is corrupted). Therefore, this protocol CQUC emulates against semihonest quantum adversaries. Next in hybrid model, the construction for an arbitrary is unconditionally secure, which, by Unruh’s lifting theorem, remains quantumUC secure. Hence quantum UC composition theorem gives that there is a classical protocol that CQUC emulates in the presence of semihonest static quantum adversaries. ∎
Combining the previous arguments we can prove Theorem 1.
Proof of Theorem 1.
Fix a wellformed functionality and let be the protocol for in the semihonest model guaranteed by the second part of Corollary 7. Now consider . We want to show that it CQUC emulates . Theorem 8 tells us that it suffices to consider the classical dummy adversary . By [15, Proposition 8.1], the interaction of the dummy adversary with (in the hybrid model) is identical to the interaction of the adversary with (in the semihonest model). By the security of in the semihonest model, there exists an idealworld adversary such that . Thus, securely emulates in the hybrid model against malicious adversaries. By the quantum UC composition theorem, we can compose with the protocol for to get a protocol secure against malicious quantum adversaries in the hybrid model. ∎
4.2 Realizing with Standalone Security
In this section, we construct a protocol that quantum standalone emulates . In the standalone model, is more commonly referred to as zeroknowledge argument of knowledge.
We will use a dense encryption scheme (Gen, Enc, Dec) as in Assumption 2. Note that Enc is a randomized algorithm and we denote by the encryption of a message under a public key using randomness , But unless when needed, we usually omit the randomness in the notation and write . We will also need a result of Watrous’s [72], where he showed that there exist classical zeroknowledge proofs for any NP language that are secure against any polytime quantum verifiers. For completeness we give his definition (adapted to our terminology) of quantum computational zeroknowledge proof [72, Definition 7].
Definition 8.
An interactive proof system for a language is quantum computational zeroknowledge if, for every polytime QIM , there exists a polytime QIM that satisfies the following requirements.

The verifier and simulator agree on the polynomially bounded functions and that specify the number of auxiliary input qubits and output qubits, respectively.

Let be the machine describing that interaction between and on input , and let be the simulator’s machine on input . Then the ensembles and are quantum computationally indistinguishable as per Definition 3.
Now that we have all building blocks ready, our construction of a classical ZKAoK protocol is as follows.
ZKAoK Protocol
Phase 1
chooses at random, and sends
a commitment of : .
sends to . sends string . proves to that is indeed a commitment of using Watrous’s ZK protocol. and set and interpret it as a public key. Phase 2 , holding an instance and a witness , encrypts under . Let . sends to . proves to that encodes a witness of using Watrous’s ZK protocol. accepts if it accepts in this ZK protocol. Otherwise it rejects and halts. 
Theorem 9.
Protocol quantum standaloneemulates .
The full proof appears in Sect. 4.2.1. We provide a brief and intuitive justification here. Roughly speaking, Phase 1 constitutes what may be called a “semisimulatable” coinflipping protocol. Specifically we can simulate a corrupted Prover. This implies that a simulator can “cheat” in Phase 1 and force the outcome to be a public key of which he knows a corresponding secret key , so that can decrypt to recover in the end. This allows us to show argument of knowledge (in our standalone model). On the other side, although generally we cannot simulate a corrupted verifier in Phase 1, we can guarantee that the outcome is uniformly random if the verifier behaves honestly. This is good enough to show zeroknowledge, because we can later encrypt an allzero string and use the simulator for the ZK protocol in Phase 2 to produce a fake proof. In reality, a corrupted verifier may bias the coinflipping outcome by aborting dependent on Prover’s message for example. This technical subtlety, nonetheless, is not hard to deal with. Intuitively the verifier only sees “less” information about the witness if he/she decides to abort in Phase 1.
Proof of Theorem 9: Quantum Standalone Secure ZKAoK
For the sake of clarity, we propose a noninteractive notion of simple hybrid argument, analogous to Def. 4, which formalizes a common structure in standalone security proofs.
Definition 10 (Simply related noninteractive machines).
We say two QTMs and are simply related if there is a time QTM and a pair of QTMs such that

(for two QTMs and , we say if they can be described by the same circuits),

, and

.
Remark 3.
Definition 11 (Simple hybrid argument (noninteractive version)).
Two machines and are related by a simple hybrid argument of length if there is a sequence of intermediate machines such that each adjacent pair of machines, , is simply related.
Lemma 12.
For any and , if two machines are related by a simple hybrid argument of length , then the machines are indistinguishable.
Proof.
Suppose for contradiction, there exists a time QTM with advice such that . Then by triangle inequality we can infer that there must exist some s.t. . However, by assumption and are (simply related and in particular no time QTMs can distinguish them with advantage greater than . ∎
Remark 4.
Actually, the proof of our modular composition can be seen as a simple hybrid argument. Specifically in step 3, and are simply related by and .
We now prove Theorem 9 following the (noninteractive) simply hybrid argument framework.
Proof of Theorem 9.
We denote the two ZK proof systems in Phase 1 & 2 by ZK and ZK respectively. The two NP languages, formalized below, are denoted by and respectively.
The simulators of ZK and ZK are denoted by and respectively. We stress that Watrous’s ZK protocol has negligible completeness and soundness errors, and in addition the simulator succeeds for arbitrary quantum polytime verifiers on true instances, except with negligible probability.
Prover is Corrupted. For any realworld adversary , we construct an idealworld adversary .
Simulator :
Prover is corrupted
Input: as a black box; security parameter .
initializes with whatever input
state it receives.
In Phase 1, does the following:
Compute and send it to
.
Obtain from .
Run Gen to obtain .
Send to .
Run the simulator for ZK with input .
In Phase 2, obtains and executes ZK with . If ZK succeeds, decrypts to get and sends to . outputs whatever outputs. 
Let be the QTM of idealworld interaction between and ; and let describing realworld interaction between and .
Lemma 13.
.
Proof.
We define a sequence of machines to form a hybrid argument:
Hybrid Machines:
relating and
. Specifically, on any input state, the output has two parts: one part corresponds to the adversary ’s output state, and the other corresponds to the dummy verifier’s output, which is accepting if obtained by in step 3 is a valid witness, i.e., .
: differ from only in that always let the dummy verifier accept as long as ZK succeeds. : differs from in the message in Phase 1: instead of sending , in , is set to be a uniformly random string. : in the first step of Phase 1, commits to instead of committing to . : instead of running simulator , executes the actual ZK protocol. Observe that . 
Now it is easy to see: