Classical Cryptographic Protocols in a Quantum World
Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is the most realistic model of physically feasible computation, then we must ask: what classical protocols remain secure against quantum attackers?
Our main contribution is showing the existence of classical two-party protocols for the secure evaluation of any polynomial-time function under reasonable computational assumptions (for example, it suffices that the learning with errors problem be hard for quantum polynomial time). Our result shows that the basic two-party feasibility picture from classical cryptography remains unchanged in a quantum world.
- 1 Introduction
- 2 Preliminaries
- 3 Modeling Security in the Presence of Quantum Attacks
- 4 Classical Protocols with Quantum Security
- 5 Equivalence Between and
- A Proof of Modular Composition Theorem
- B A Special Constraint in Quantum Stand-Alone Model: Markov Condition
Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. Goldreich, Micali and Wigderson , building on the development of zero-knowledge (ZK) proof systems [40, 39], showed that SFE protocols exist for any polynomial-time function under mild assumptions (roughly, the existence of secure public-key cryptosystems). Research into the design and analysis of such protocols is now a large subfield of cryptography; it has also driven important advances in more traditional areas of cryptography such as the design of encryption, authentication and signature schemes.
The extensive theory of these protocols, however, deals almost exclusively with classical attackers. However, given our current understanding of physics, quantum information processing is the most realistic model of physically feasible computation. It is natural to ask: what classical protocols remain secure against quantum attackers? In many cases, even adversaries with modest quantum computing capabilities, such as the ability to share and store entangled photon pairs, are not covered by existing proofs of security.
Clearly not all protocols are secure: we can rule out anything based on the computational hardness of factoring, the discrete log , or the principal ideal problem . More subtly, the basic techniques used to reason about security may not apply in a quantum setting. For example, some information-theoretically secure two-prover ZK and commitment protocols are analyzed by viewing the provers as long tables that are fixed before queries are chosen by the verifier; quantum entanglement breaks that analysis and some protocols are insecure against colluding quantum provers (Crépeau et al., ).
In the computational realm, rewinding is a key technique for basing the security of a protocol on the hardness of some underlying problem. Rewinding proofs consist of a mental experiment in which the adversary is run multiple times using careful variations of a given input. At first glance, rewinding seems impossible with a quantum adversary since running it multiple times might modify the entanglement between its internal storage and an outside reference system, thus changing the overall system’s behavior.
In a breakthrough paper, Watrous  showed that a specific type of zero-knowledge proof (3-round, GMW-style protocols) can be proven secure using a rewinding argument tailored to quantum adversaries. Damgård and Lunemann  showed that a similar analysis can be applied to a variant of Blum’s coin flipping protocol. Hallgren et al.  showed certain classical transformations from honest-verifier to malicious-verifier ZK can be modified to provide security against malicious quantum verifiers. Some information-theoretically secure classical protocols are also known to resist quantum attacks [20, 7, 32, 68]. Finally, there is a longer line of work on protocols that involve quantum communication, dating back to Bennett and Brassard . Overall, however, little is known about how much of the classical theory can be carried over to quantum settings. See “Related Work”, below, for more detail.
1.1 Our Contributions
Our main contribution is showing the existence of classical two-party protocols for the secure evaluation of any polynomial-time function under reasonable computational assumptions (for example, it suffices that the learning with errors problem  be hard for quantum polynomial time). Our result shows that the basic two-party feasibility picture from classical cryptography remains unchanged in a quantum world. The only two-party general SFE protocols which had previously been analyzed in the presence of quantum attackers required quantum computation and communication on the part of the honest participants (e.g. [21, 27]).
In what follows, we distinguish two basic settings: in the stand-alone setting, protocols are designed to be run in isolation, without other protocols running simultaneously; in network settings, the protocols must remain secure even when the honest participants are running other protocols (or copies of the same protocol) concurrently. Protocols proven secure in the universal composability (UC) model  are secure in arbitrary network settings, but UC-security is impossible to achieve in many scenarios.
Our contributions can be broken down as follows:
General Modeling of Stand-Alone Security with Quantum Adversaries. We describe a security model for two-party protocols in the presence of a quantum attackers. Proving security in this model amounts to showing that a protocol for computing a function behaves indistinguishably from an “ideal” protocol in which is computed by a trusted third party, which we call the ideal functionality . Our model is a quantum analogue of the model of stand-alone security developed by Canetti  in the classical setting. It slightly generalizes the existing model of Damgård et al.  in two ways. First, our model allows for protocols in which the ideal functionalities process quantum information (rather than only classical functionalities). Second, it allows for adversaries that take arbitrary quantum advice, and for arbitrary entanglement between honest and malicious players’ inputs. Our model may be viewed as a restriction of the quantum UC model of Unruh  to noninteractive distinguishers, and we use that connection in our protocol design (see below). We also discuss possible variants of quantum stand-alone models and initiate a study on their relationships, which connects to interesting questions in a broad scope.
We show a sequential modular composition theorem for protocols analyzed in our model. Roughly, it states that one can design protocols modularly, treating sub-protocols as equivalent to their ideal versions when analyzing security of a high-level protocol. While the composition result of Damgård et al.  allows only for classical high-level protocols, our result holds for arbitrary quantum protocols.
Classical Zero-knowledge Arguments of Knowledge Secure Against Quantum Adversaries. We construct a classical zero-knowledge argument of knowledge (ZKAoK) protocol that can be proven secure in our stand-alone model. Our construction is “witness-extendable” (Lindell ), meaning that one can simulate an interaction with a malicious prover and simultaneously extract a witness of the statement whenever the prover succeeds. Our security proof overcomes a limitation of the previous construction of (two-party) quantum proofs of knowledge (Unruh ), which did not have a simulator for malicious provers. Such a simulator is important since it allows one to analyze security when using a proof of knowledge as a subprotocol. As in the classical case, our ZKAoK protocol is an important building block in designing general SFE protocols.
The main idea behind our construction is to have the prover and verifier first execute a weak coin-flipping protocol to generate a public key for a special type of encryption scheme. The prover encrypts his witness with respect to this public key and proves consistency of his ciphertext with the statement using the ZK protocols analyzed by Watrous . A simulator playing the role of the verifier can manipulate the coin-flipping phase to generate a public key for which she knows the secret key, thus allowing her to extract the witness without needing to rewind the prover. A simulator playing the role of the prover, on the other hand, cannot control the coin flip (to our knowledge) but can ensure that the public key is nearly random. If the encryption scheme satisfies additional properties (that can be realized under widely used lattice-type assumptions), we show that the verifier’s view can nonetheless be faithfully simulated.
Classical UC Protocols in a Quantum Context: Towards Unruh’s Conjecture. We show that a large class of protocols which are UC-secure against computationally bounded classical adversaries are also UC-secure against quantum adversaries. Unruh  showed that any classical protocol which is proven UC-secure against unbounded classical adversaries is also UC-secure against unbounded quantum adversaries. He conjectured (roughly, see  for the exact statement) that classical arguments of computational UC security should also go through as long as the underlying computational primitives are not easily breakable by quantum computers.
We provide support for this conjecture by describing a family of
classical security arguments that go through verbatim with quantum
adversaries. We call these arguments “simple hybrid arguments”.
They use rewinding neither in the simulation nor in any of the steps
that show the correctness of simulation.
Our observation allows us to port a general result of Canetti et al.  to the quantum setting. We obtain the following: in the -hybrid model, where a trusted party implementing ZKAoK is available, there exist classical protocols for the evaluation of any polynomial-time function that are UC-secure against quantum adversaries under reasonable computational assumptions. As an immediate corollary, we get a classical protocol that quantum-UC emulates the ideal functionality for coin-flipping, assuming UC-secure ZK.
New Classical UC Protocols Secure Against Quantum Attacks. We construct new two-party protocols that are UC-secure against quantum adversaries. Adapting ideas from Lindell , we show a constant-round classical coin-flipping protocol from ZK (i.e. in -hybrid model). Note that the general feasibility result from above already implies the existence of a quantum-UC secure coin-flipping protocol, but it needs polynomially many rounds. Conversely, we can also construct a constant-round classical protocol for ZKAoK that is UC-secure against quantum adversaries, assuming a trusted party implementing coin-flipping, i.e. in the -hybrid model (essentially equivalent to the common reference string model, where all participants have access to a common, uniformly distributed bit string). This establishes the equivalence between and in the quantum UC model, which may be of independent interest, e.g., in simplifying protocol designs. It has also motivated a subsequent work by Fehr et el.  where they showed interesting connections between ideal functionalities in the quantum-UC model in a systematic way.
Implications. The modular composition theorem in our stand-alone model allows us to get the general feasibility result below by combining our stand-alone ZKAoK protocol and the UC-secure protocols in -hybrid model:
Under standard assumptions, there exist classical SFE protocols in the plain model (without a shared random string) which are stand-alone-secure against static quantum adversaries. This parallels the classic result of Goldreich, Micali and Wigderson .
The equivalence of zero-knowledge and coin-flipping functionalities in the UC model also has interesting implications. First, the availability of a common reference string (CRS) suffices for implementing quantum-UC secure protocols. Secondly, given our stand-alone ZKAoK protocol, we get a quantum stand-alone coin-flipping protocol.
Independently of our work, Lunemann and Nielsen , via a different route, also showed the existence of classical two-party SFE protocols secure against quantum attacks. See the discussion at the end of “Related Work”.
1.2 Related work
In addition to the previous work mentioned above, we expand here on three categories of related efforts.
Composition Frameworks for Quantum Protocols. Systematic investigations of the composition properties of quantum protocols are relatively recent. Canetti’s UC framework and Pfitzmann and Waidner’s closely related reactive functionality framework were extended to the world of quantum protocols and adversaries by Ben-Or and Mayers  and Unruh [67, 68]. These frameworks (which share similar semantics) provide extremely strong guarantees—security in arbitrary network environments. They were used to analyze a number of unconditionally secure quantum protocols (key exchange  and multi-party computation with honest majorities ). However, many protocols are not universally composable, and Canetti  showed that classical protocols cannot UC-securely realize even basic tasks such as commitment and zero-knowledge proofs without some additional setup assumptions such as a CRS or public-key infrastructure.
Damgård et al., building on work by Fehr and Schaffner , proposed a general composition framework which applies only to secure quantum protocols of a particular form (where quantum communication occurs only at the lowest levels of the modular composition). As noted earlier, our model is more general and captures both classical and quantum protocols. Recently, Maurer and Renner proposed a new composable framework called Abstract Cryptography , and it has been adapted to analyzing quantum protocols as well .
Analyses of Quantum Protocols. The first careful proofs of security of quantum protocols were for key exchange (Mayers , Lo and Chau , Shor and Preskill , Beaver ). Research on quantum protocols for two-party tasks such as coin-flipping, bit commitment and oblivious transfer dates back farther [11, 9], though some initially proposed protocols were insecure . The first proofs of security of such protocols were based on computational assumptions [28, 21]. They were highly protocol-specific and it was not known how well the protocols composed. The first proofs of security using the simulation paradigm were for information-theoretically-secure protocols for multi-party computations assuming a strict majority of honest participants [20, 22, 7]. More recently, Dupuis et al. [30, 31] constructed two-party quantum protocols for evaluating arbitrary unitary operations, which they proved secure under reasonable computational assumptions in a simulation-based definition similar to what we propose in this work. There was also a line of work on the bounded quantum storage model [26, 25, 32, 69] developed tools for reasoning about specific types of composition of two-party protocols, under assumptions on the size of the adversary’s quantum storage. Many tools have been developed in recent years on modeling and analyzing composable security for protocols of device-independent quantum key-exchange and randomness expansion [33, 71, 58, 18].
Straight-Line Simulators and Code-Based Games. As mentioned above, we introduce “simple hybrid arguments” to capture a class of straightforward security analyses that go through against quantum adversaries. Several formalisms have been introduced in the past to capture classes of “simple” security arguments. To our knowledge, none of them is automatically compatible with quantum adversaries. For example, straight-line black-box simulators  do not rewind the adversary nor use an explicit description of its random coins; however, it may be the case that rewinding is necessary to prove that the straight-line simulator is actually correct. In a different vein, the code-based games of Bellare and Rogaway  capture a class of hybrid arguments that can be encoded in a clean formal language; again, however, the arguments concerning each step of the hybrid may still require rewinding.
Independent Work. Lunemann and Nielsen  independently obtained similar results to the ones described here, via a slightly different route. Specifically, they start by constructing a stand-alone coin-flipping protocol that is fully simulatable against quantum poly-time adversaries. Then they use the coin-flipping protocol to construct a stand-alone ZKAoK protocol, and finally by plugging into the GMW construction, they get quantum stand-alone-secure two-party SFE protocols as well. The computational assumptions in the two works are similar and the round complexities of the stand-alone SFE protocols are both polynomial in the security parameter. Our approach to composition is more general, however, leading to results that also apply (in part) to the UC model.
1.3 Future Directions
Our work suggests a number of straightforward conjectures. For example, it is likely that our techniques in fact apply to all the results in CLOS (multi-party, adaptive adversaries) and to corresponding results in the “generalized” UC model . Essentially all protocols in the semi-honest model seem to fit the simple hybrids framework, in particular protocols based on Yao’s garbled-circuits framework (e.g. ). It is also likely that existing proofs in security models which allow super-polynomial simulation (e.g., [62, 63, 1]) will carry through using a similar line of argument to the one here.
However, our work leaves open some basic questions: for example, can we construct constant-round ZK with negligible completeness and soundness errors against quantum verifiers? Watrous’s technique does not immediately answer it since sequential repetition seems necessary in his construction to reduce the soundness error. A quick look at classical constant-round ZK (e.g., ) suggests that witness-indistinguishable proofs of knowledge are helpful. Is it possible to construct constant-round witness-extendable WI proofs of knowledge? Do our analyses apply to extensions of the UC framework, such the generalized UC framework of Canetti et al. ? Finally, more generally, which other uses of rewinding can be adapted to quantum adversaries? Aside from the original work by Watrous , Damgård and Lunemann  and Unruh  have shown examples of such adaption.
Organization. The rest of the paper is organized as follows: Section 2 reviews basic notations and definitions. In Section 3, we propose our quantum stand-alone security model. We show our main result in Section 4. Specifically, Section 4.1 establishes quantum-UC secure protocols in -hybrid model. A quantum stand-alone-secure ZKAoK protocol is developed in Section 4.2. Finally in Section 5, we discuss equivalence of and .
For , denotes the set . We use to denote a security parameter. The security parameter, represented in unary, is an implicit input to all cryptographic algorithms; we omit it when it is clear from the context. Quantities derived from protocols or algorithms (probabilities, running times, etc.) should be thought of as functions of , unless otherwise specified. A function is said to be negligible if for any constant , and is used to denote an unspecified function that is negligible in . We also use to denote an unspecified function for some constant . When is a probability distribution, the notation indicates that is a sample drawn according to . When is a finite set, we implicitly associate with it the uniform distribution over the set. If is a probabilistic algorithm, denotes the distribution over the output of corresponding to input . We will sometimes use the same symbol for a random variable and for its probability distribution when the meaning is clear from the context. Let and be two ensembles of binary random variables. We call indistinguishable, denoted , if .
We assume the reader is familiar with the basic concepts of quantum information theory (see, e.g., ). We use a sans serif letter (e.g. ) to denote both a quantum register and the corresponding Hilbert space. We use if we want to be specific about the security parameter. Let denote the space for qubits. Let be the set of density operators acting on space and be the set of linear operators from space to .
Quantum Machine Model. We adapt Unruh’s machine model in  with minor changes. A quantum interactive machine (QIM) is an ensemble of interactive circuits . The index set is typically the natural numbers or a set of strings (or both). We give our description here with respect to . For each value of the security parameter, consists of a sequence of circuits , where defines the operation of in one round and is the number of rounds for which operates (we assume for simplicity that depends only on ). We omit the scripts when they are clear from the context or are not essential for the discussion. Machine (or rather each of the circuits that it comprises) operates on three registers: a state register used for input and workspace; an output register ; and a network register for communicating with other machines. The size (or running time) of is the sum of the sizes of the circuits . We say a machine is polynomial time if and there is a deterministic classical Turing machine that computes the description of in polynomial time on input .
When two QIMs and interact, they share network register . The circuits and are executed alternately for . When three or more machines interact, the machines may share different parts of their network registers (for example, a private channel consists of a register shared between only two machines; a broadcast channel is a register shared by all machines). The order in which machines are activated may be either specified in advance (as in a synchronous network) or adversarially controlled.
A non-interactive quantum machine (referred to as QTM hereafter) is a QIM with network register empty and it runs for only one round (for all ). This is equivalent to the quantum Turing machine model (see ).
A classical interactive Turing machine is a special case of a QIM, where the registers only store classical strings and all circuits are classical. This is also called an interactive Turing machine (ITM) with advice (Canetti [12, 13]).
Indistinguishability of Quantum States. Let and be ensembles of mixed states indexed by , where and are both -qubit states for some polynomially bounded function . We first define a somewhat weak notion of indistinguishability of quantum state ensembles.
Definition 1 (-weakly indistinguishable states).
We say two quantum state ensembles and are -weakly indistinguishable, denoted , if for every -time QTM ,
The states and are called weakly computationally indistinguishable, denoted , if for every polynomial , there exists a negligible such that and are -weakly computationally indistinguishable.
A stronger notion of indistinguishability of quantum states was proposed by Watrous [72, Definition 2]. The crucial distinction is that a distinguisher is allowed to take quantum advice.
Definition 2 (-indistinguishable states).
We say two quantum state ensembles and are -indistinguishable, denoted , if for every -time QTM and any mixed state ,
The states and are called quantum computationally indistinguishable, denoted , if for every polynomial , there exists a negligible such that and are -indistinguishable.
The two definitions above subsume classical distributions as a special case, since classical distributions can be represented by density matrices that are diagonal with respect to the standard basis.
Indistinguishability of Quantum Machines. Now we introduce the notion of distinguishing two QTMs.
Definition 3 (-indistinguishable QTMs).
We say two QTMs and are -indistinguishable, denoted , if for any -time QTM and any mixed state , where is an arbitrary reference system,
Machines and are called quantum computationally indistinguishable, denoted , if for every polynomial , there exists a negligible such that and are -computationally indistinguishable.
This definition is equivalent to quantum computationally indistinguishable super-operators proposed by Watrous [72, Definition 6]. If we do not restrict the running time of the distinguisher, we obtain a statistical notion of indistinguishability. Let be the trace distance between density operators.
Definition 4 (-indistinguishable QTMs in diamond norm).
We say two QTMs and are -indistinguishable in diamond norm, denoted , if for any , being an arbitrary reference system,
QIMs and are said to be indistinguishable in diamond norm, denoted , if there exists a negligible such that and are -indistinguishable in diamond norm.
Indistinguishability of QIMs. Next, we generalize the definitions of indistinguishability above to interactive quantum machines. Let and be two QIMs, we denote as the following process: machine is initialized with , it then provides input to and interacts with . In the end, the output register of is given to and generates one classical bit on its own output register.
Definition 5 (-indistinguishable QIMs).
We say two QIMs and are -interactively indistinguishable, denoted , if for any quantum -time interactive machine and any mixed state on qubits,
QIMs and are called quantum computationally interactively indistinguishable, denoted , if for every , there exists a negligible such that and are -interactively indistinguishable.
We may call such an interactive distinguisher. We can likewise define statistically interactively indistinguishable QIMs, denoted , if we allow unbounded interactive distinguisher .
Quantum interactive machines, as we defined earlier, actually can be seen as a subset of quantum strategies, formulated in . Namely, a QIM is a strategy in which each channel can be implemented by a uniformly generated circuit. Therefore we can as well define statistically interactively indistinguishability using the norm for quantum strategies. See Gutoski  and Chiribella et al.  for details about characterizing distinguishability of quantum strategies using the norm.
Ideal functionalities. We sketch ideal functionalities, i.e., the programs of a trusted party in an ideal protocol, for a few basic cryptographic tasks.
Commitment : At “Commit” stage, Alice (the committer) inputs a bit and Bob (the receiver) receives from a notification that a bit was committed. At “Open” stage, Alice can input the command open to who then sends Bob .
Oblivious Transfer : Alice (the sender) inputs bits and Bob (the receiver) inputs a selection bit . Bob receives from .
Zero-knowledge : Let be an NP relation. Upon receiving from Alice, verifies . If yes, it sends to Bob; otherwise it instructs Bob to reject.
Coin Flipping : Alice and Bob input the request to , and randomly chooses and sends it to Alice. Alice responds with “acc” or “rej” indicating continuing or aborting respectively. In the case of “acc”, sends to Bob and otherwise sends Bob . Note the functionality is asymmetric in the sense that Alice gets the coins first. This avoids the complicated issue about fairness, which has been an active line of research in classical cryptography (see for example [19, 48, 59, 41]) and is beyond the scope of this paper.
3 Modeling Security in the Presence of Quantum Attacks
In this section, we propose a stand-alone security model for two-party protocols in the presence of quantum attacks and show a modular composition theorem in this model, which allows us to use secure protocols as ideal building blocks to construct larger protocols. We also discuss variants of our stand-alone model in a unified framework. To be self-contained, we review in Section 3.2 the quantum universal-composable (UC) security model, which is a generalization of classical UC model to the quantum setting.
3.1 A General Quantum Stand-Alone Security Model
Our model follows the real-world/ideal-world simulation paradigm. It proceeds in three high-level steps: (i) Formalizing the process of executing a protocol in the presence of adversarial activities. (ii) Formalizing an ideal-world protocol for realizing the desired task. This is an (imaginary) idealized protocol which captures the security guarantees we want to achieve. (iii) Finally we say a (real-world) protocol realizes a task securely if it “behaves similarly” to the ideal-world protocol for that task (Definition 3). “Behaving similarly” is formalized by the notion of stand-alone emulation between protocols (Definition 1, 2).
Our definition can be viewed in two ways: either as a quantum analogue
of Canetti’s classical stand-alone model  or as a relaxed
notion of (a variant of) Unruh’s quantum UC
security . Prior to our work, stand-alone security
definitions for quantum attacks were largely developed ad
We describe our model for the two-party setting; it is straightforward to extend to multi-party setting. We first introduce a few important objects in our model. We formalize a cryptographic task by an interactive machine called a functionality. It contains the instructions to realize the task, and we usually denote it by or . While our model applies to both classical and quantum functionalities, our focus in this work will be efficient classical functionalities. Namely is a classical probabilistic polynomial-time machine. A two-party protocol for a task consists of a pair of interactive machines . We call a protocol poly-time if are both poly-time machines. We typically use Greek letters (e.g., ) to denote protocols. If we want to emphasize that a protocol is classical, i.e., computation and all messages exchanged are classical, we then use lower-case letters (e.g., ). Finally, an adversary, usually denoted or , is another interactive machine that intends to attack a protocol. Very often we abuse notation and do not distinguish a machine and the player that runs the machine. This should not cause any confusion.
Protocol Execution. We consider executing a protocol in the presence of an adversary . Their state registers are initialized by a secure parameter and a joint quantum state . Adversary gets activated first and coordinates the execution. Specifically, the operations of each party are:
Adversary : it may either deliver a message to some party or corrupt a party. Delivering a message is simply instructing the designated party (i.e., the receiver) to read the proper segment of his network register. We assume all registers are authenticated so that cannot modify them and in particular if the register is private to the party, may not read the content. Other than that, can for example schedule the messages to be delivered in any arbitrary way. If corrupts a party, the party passes all of its internal state to and follows the instructions of . In the two-party setting, corrupting a party can be simply thought of as substituting the machine of for the machine of the corrupted party.
Parties in : once a party receives a message from , it gets activated and runs its machine. At the end of one round, some message is generated on the network register. Adversary is activated again and controls message delivery. At some round, the party generates some output and terminates.
Clearly, we can view and as a whole and model the composed system as another QIM, call it . Then executing in the presence of is just running on some input state, which may be entangled with a reference system that will be handed to the distighuisher.
Protocol Emulation. As indicated earlier, a secure protocol is supposed to “emulate” an idealized protocol. Here we formally define emulation between protocols. Let and be two protocols. Let be the composed machine of and an adversary , and be that of and another adversary . Informally, emulates if the two machines and are indistinguishable.
Definition 1 (Computationally Quantum-Stand-Alone Emulation).
Let and be two poly-time protocols. We say computationally quantum-stand-alone (C-QSA) emulates , if for any poly-time QIM there exists a poly-time QIM such that
Definition 2 (Statistically Quantum-Stand-Alone Emulation).
Let and be two poly-time protocols. We say statistically quantum-stand-alone (S-QSA) emulates , if for any QIM there exists an QIM that runs in poly-time of that of , such that .
Ideal-world Protocol and Secure Realization of a Functionality. We formalized protocol emulation in a general form which applies to any two protocols. But it is of particular interest to emulate a special type of protocol which captures the security guarantees we want to achieve. We formalize the so-called ideal-world protocol for a functionality . In this protocol, two (dummy) parties and have access to an additional “trusted” party that implements . We may abuse notation and call the trusted party too. Basically and invoke with their inputs, and then runs on the inputs and sends the respective outputs back to and . An execution of with an adversary is similar to our prior description for executing a (real-world) protocol, except that cannot be corrupted. Likewise, we denote the composed machine of and as . We state the definition in the computational setting; statistical emulation is defined analogously.
Definition 3 (C-Qsa Realization of a Functionality).
Let be a poly-time two-party functionality and be a poly-time two-party protocol. We say computationally quantum-stand-alone realizes , if C-QSA emulates . Namely, for any poly-time , there is a poly-time such that .
It is conventional to use to denote the binary output distribution ensemble of that runs on the output state of an execution of and with input . Likewise, denotes the binary output distribution ensemble of in an execution of the ideal-world protocol . Definition 3 can be restated as requiring that for any poly-time there exists a poly-time such that, for any poly-time and state , we have
Types of Attack. Typically, we need to speak of security against a specific class of adversaries. We have distinguished two classes of adversaries according to their computational complexity, i.e., poly-time vs. unbounded time. We also categorize adversaries according to how they corrupt the parties and how they deviate from the honest behavior defined by the protocol. The standard two types of corruptions considered in the literature are static vs. adaptive corruptions. Under static corruption, the identities of corrupted parties are determined before protocol starts. In contrast, adaptive corruption allows an adversary to change the party to corrupt adaptively during the execution. This work only concerns static corruption.
In terms of what dishonest behaviors are permitted for an adversary, again two classes are considered standard in the literature: semi-honest (a.k.a. passive or honest-but-curious) and malicious (a.k.a. active). A semi-honest adversary, after corrupting a party, still follows the party’s circuit, except that in the end it processes the output and the state of the party. A malicious adversary, however, can substitute any circuit for the corrupted party. In the definitions of the protocol emulation, unless otherwise specified, the two adversaries in the real-world and ideal-world must belong to the same class. For example, if is semi-honest, must also be semi-honest.
These notions of different classes of adversaries naturally extend to quantum adversaries, except for one subtlety in defining semi-honest quantum adversaries. There are two possible definitions. One definition, which may be referred to as the Lo-Chau-Mayers semi-honest model [52, 56], allows to run the circuit of the corrupted party, which is specified by the protocol, coherently. Namely purifies the circuit of corrupted party so that all operations are unitary. For example, instead of measuring a quantum state, the register is “copied” by a CNOT operation to an ancillary register. Another definition forces the adversary to exactly faithfully follow the corrupted party’s circuit during the protocol execution, so that any quantum measurement occurs instantaneously and possibly destructively. In other words, in the second model, a semi-honest quantum adversary only corrupts a party at the end of the protocol execution, and then processes the internal state and transcript that the corrupted party holds. This second model is generally weaker than the first, in the sense that the adversary is more restricted. In this paper, we focus on the second of these two notions.
Modular Composition Theorem
It is common practice in the design of large protocols to divide a task into several subtasks. We first realize each subtask, and then use these modules as building blocks (subroutines) to realize the initial task. In this section, we show that our definition allows such modular design.
Composition Operation. Let be a protocol that uses another protocol as a subroutine, and let be a protocol that QSA emulates . We define the composed protocol, denoted , to be the protocol in which each invocation of is replaced by an invocation of . We allow multiple calls to a subroutine and also using multiple subroutines in a protocol . However, we require that at any point, only one subroutine call be in progress; that is, we handle sequential composition. This is weaker than the “network” setting, where many instances and subroutines may be executed concurrently.
We can show that our quantum stand-alone model admits a modular composition theorem.
Theorem 4 (Modular Composition: General Statement).
Let , and be two-party protocols such that C-QSA (resp. S-QSA) emulates , then C-QSA (resp. S-QSA) emulates .
The proof can be found in Appendix A. Here we discuss an important type of protocol where the composition theorem is especially useful.
Protocols in a Hybrid Model. We next define a hybrid
model, in which the parties can make calls to an ideal-world protocol
of some functionality
Now assume that we have a protocol that realizes and we have designed a -hybrid protocol realizing another functionality . Then the composition theorem allows us to treat sub-protocols as equivalent to their ideal versions when analyzing security of a high-level protocol.
Corollary 5 (Modular Composition: Realizing Functionalities).
Let and be poly-time functionalities. Let be a -hybrid protocol that C-QSA (resp. S-QSA) realizes , and be a protocol that C-QSA (resp. S-QSA) realizes , then C-QSA (resp. S-QSA) realizes .
Variants of Quantum Stand-Alone Models: A Unified Framework
When defining a security model, there are lots of choices qualifying and quantifying the power of the adversaries to account for various security requirements. Here we provide an abstract stand-alone model for both classical and quantum cryptographic protocols, illustrated in Figure 4, which contains three natural choices for the adversaries which we think are essential. This abstract model captures all existing stand-alone security models (including ours) and this allows for a unified study of, and comparison among, these models. The relationship between these models may be interesting beyond the study of SFE.
The model contains an environment and a protocol. Depending on whether the protocol is in real or ideal world, we have the honest party, the (real-or ideal-world) adversary and possibly the trusted party. Here we think of the environment as two separate machines: , which we may call an input sampler, prepares inputs to the players; and that receives outputs and makes the decision. Now we consider the following choices:
Does , the input sampler, have a quantum advice ? In other words, do we allow arbitrary input states or only states that can be generated efficiently?
Does , which is essentially a distinguisher, take quantum advice ?
Does pass a state to ? Namely, does the environment keep state during the execution?
Notice that positive answers potentially give more power to the adversaries and thus provides stronger security guarantee. Also note that all machines are always allowed to take classical advice. We may denote a security model as where the subscripts are from indicating each of the choices made for the model. For example corresponds to the model that gets quantum advice; takes no quantum advice and passes state to –this exactly leads to our model in Def. 1. Similarly, is the model where and both take quantum advice, and there is state passing from to .
We say two models and are equivalent if for any two protocols and , it holds that emulates in if and only if emulates in . It is conceivable that some of the combinations collapse to the same model. For example, if all players are classical circuits, then all eight models collapse. This is because classical (non-uniform) machines can only measure a quantum state in computational basis to obtain a classical string from a certain distribution. But a classical circuit can be hardwired with any classical string, and so (quantum) advice gives no extra power to a classical circuit. Passing state likewise becomes vacuous.
When we consider an adversary and environment consisting of quantum circuits, the situation becomes generally more complicated. We can observe that choice (b) becomes irrelevant once we permit arbitrary input state and state passing (i.e., ). We conjecture that state passing makes no difference either. If this is indeed true, then all the variants collapse when takes quantum advice. On the other hand, if takes no advice (i.e. only efficiently generated input states are allowed), we are left with two variants and . The relationship between these two models is closely related to the fundamental question in quantum complexity theory regarding . We leave further investigations as future work. In Appendix B, we discuss another variant that appears in the literature [27, 32], in which may only generate input states of a special form. We show that this does not change the model in the case that takes quantum advice.
3.2 Quantum UC Model: An Overview
So far, our security model falls into the stand-alone setting, where protocols are assumed to be executed in isolation. However, in practice we often encounter a network setting, where many protocols are running concurrently. A protocol proven secure according to a stand-alone security definition ensures nothing if we run it in a network environment. In view of this issue, Canetti  proposed the (classical) Universally Composable (UC) security model. It differs from the stand-alone definition of security in that the environment is allowed to be
interactive: during the execution of the protocol, the
environment may provide inputs and receive the outputs of the honest
players, and exchange arbitrary messages with the adversary. In
contrast, the environment in the stand-alone model runs only at the
end of the protocol execution (and, implicitly, before the protocol
starts, to prepare the inputs to all parties). UC-secure protocols
enjoy a property called general (or universal)
Modulo a small change in Unruh’s model (quantum advice, discussed below), our stand-alone model is exactly the restriction of Unruh’s model to a non-interactive environment, that is one which is idle from the start to the finish of the protocol. The only apparent difference is that in the UC model, the environment runs for some time before the protocol starts to prepare inputs, while in Section 3.1 we simply quantify over all joint states of the honest players’ and adversary’s inputs. This difference is only cosmetic, though: the state can be taken to be the joint state of the outputs and internal memory of the environment at the time the protocol begins.
We make one change to Unruh’s model in order to be consistent with our earlier definitions and the work of Watrous on zero-knowledge : we allow the environment to take quantum advice, rather than only classical advice. In the language of [68, p. 11], we change the initialization phase of a network execution to create a state which equals the classical string in (instead of ), and an arbitrary state in (instead of ). Here denotes the empty string. Moreover, we change the definition of indistinguishable networks [68, p. 12] to quantify over all states instead of all classical strings . This change is not significant for statistical security, since an unbounded adversary may reconstruct a quantum advice state from a (exponentially long) classical description. However, it may be significant for polynomial-time adversaries: it is not known how much quantum advice affects the power of, say BQP, relative to classical advice. For completeness, we state this modified definition of quantum UC security below.
Definition 6 (Computationally Quantum-UC Emulation).
Let and be two-party protocols. We say computationally quantum-UC (C-QUC) emulates , if for any poly-time QIM , there is a poly-time QIM such that (as per Def. 5).
Here (and likewise) denotes the composed system of and , which can be viewed as a QIM. Its network register consists of part of the adversary’s network register, and is used for external communication with another party (e.g., an environment). Alternatively, define and . We can rephrase the condition as “for any poly-time QIM , there is a poly-time QIM , such that for any poly-time QIM , .”
If we allow and to be unbounded machines, i.e., we require that , then we get the notion of statistically quantum-UC (S-QUC) emulation. As suggested in , we can also use the norm on strategies to define it. Namely, we require that for any there exists such that .
General (Concurrent) Composition. The most striking feature of
UC model is that it admits a very general form of composition,
Our modifications of Unruh’s definition do not affect the validity of the universal composition theorem:
Theorem 7 (Quantum UC Composition Theorem (Unruh )).
Let and be poly-time protocols. Assume that quantum-UC emulates . Then quantum-UC emulates .
There is another useful property that simplifies the proof of UC emulation. In both classical and quantum UC models, it suffices to consider a special adversary, which is called the dummy adversary . The dummy adversary just forwards messages between a protocol and an environment and leaves any further processing to the environment. Here we only restate the completeness of dummy adversary in the quantum setting:
Theorem 8 (Completeness of the dummy adversary (Unruh [68, Lemma 12])).
Assume that quantum-UC emulates with respect to the dummy adversary (i.e., instead of quantifying over all adversaries, we fix ). Then quantum-UC emulates . This holds both for computational and statistical settings.
4 Classical Protocols with Quantum Security
This section studies what classical protocols remain secure against quantum attacks in the computational setting. Let be a classical two-party poly-time functionality. For technical reasons, needs to be well-formed. See [13, 15] for a formal definition and discussions. Throughout this paper, we only consider well-formed functionalities as well. Classically, there are two important families of secure protocols:
Stand-alone secure computation : Assuming the existence of enhanced trapdoor permutations, there exists poly-time protocols that computationally stand-alone emulates .
Universal-composable secure computation : Assuming the existence of enhanced trapdoor permutations, there exists protocols in the -hybrid model that computationally UC emulates .
Our main result shows that these general feasibility results largely remain unchanged against quantum attacks:
For any classical two-party functionality , there exists a classical protocol that quantum computationally stand-alone emulates , under suitable quantum-resistant computational assumptions.
The proof of the theorem can be broken into two parts. First we show a quantum analogue of  in Section 4.1. Namely, there exist functionalities, such as , that are as powerful as to realizing any other functionalities based on them, even with respect to computationally quantum-UC security. To achieve this, we develop a framework called simple hybrid arguments in Sect 4.1.1 to capture a large family of classical security analyses that go through against quantum adversaries. As a result, it amounts to design a (stand-alone) secure protocol for , which is the content of Section 4.2. We stress that security of existing protocols for relies on a sophisticated rewinding argument, and it is not clear if the arguments are still valid against quantum adversaries. Hence we need new ideas to get around this difficulty.
4.1 Basing Quantum UC Secure Computation on
We show here that is sufficient for UC secure computation of any two-party functionality against any computational bounded quantum adversaries. That is, for any well-formed functionalities , there exists an -hybrid protocol that C-QUC emulates . We stress that these protocols are all classical, which can be implemented efficiently with classical communication and computation devices.
There exists a classical pseudorandom generator secure against any poly-time quantum distinguisher.
Based on this assumption and the construction of , we can obtain a statistically binding and quantum computationally hiding commitment scheme . All commitment schemes we use afterwards refer to this one. This assumption also suffices for Watrous’s ZK proof system for any NP-language against quantum attacks.
There exists a dense classical public-key crypto-system that is IND-CPA (chosen-plaintext attack) secure against quantum distinguishers.
A public-key crypto-system is dense if a valid public key is indistinguishable in quantum poly-time from a uniformly random string of the same length. Although it is likely that standard reductions would show that Assumption 2 implies Assumption 1, we chose to keep the assumptions separate because the instantiation one would normally use of the pseudorandom generator would not be related to the public-key system (instead, it would typically be based on a symmetric-key block or stream cipher). Both assumptions hold, for instance, assuming the hardness of leaning with errors (LWE) problem .
Simple Hybrid Argument.
Our analysis is based on a new abstraction called a simple hybrid argument (SHA). It captures a family of classical security arguments in the UC model which remains valid in the quantum setting (as long as the underlying primitives are secure against quantum adversaries).
Definition 2 (Simply related machines).
We say two QIMs and are -simply related if there is a time- QTM and a pair of classical distributions such that
(for two QIMs and , we say if the two machines behave identically on all inputs, that is, if they can be described by the same circuits),
Figure 5 illustrates a pair of simply related machines.
If two machines and are -simply related, then , i.e., they are -interactively indistinguishable (as per Definition 5).
By definition, and . If there is a with quantum advice that distinguishes and with advantage in time , we can construct a time- distinguisher for and with advantage as well. This contradicts . Distinguisher works by taking an input sample from either or , simulates , and outputs whatever outputs. Obviously, runs in time at most and distinguishes and with the same advantage that distinguishes and . Thus we conclude for any time- environment . ∎
Definition 4 (Simple hybrid argument).
Two machines and are related by a -simple hybrid argument of length if there is a sequence of intermediate machines such that each adjacent pair of machines, , is -simply related.
For any and , if two machines are related by a -simple hybrid argument of length , then the machines are -interactively indistinguishable.
This is by a standard hybrid argument. Suppose, for contradiction, there exists a time- machine with advice such that
Then by triangle inequality we can infer that there must exist some such that
However, by assumption and are (-simply related and in particular no time- machines can distinguish them with advantage greater than . ∎
Lifting CLOS to Quantum UC Security.
Now we apply our simple hybrid argument framework to analyze the protocol in CLOS. We first review the structure of the construction of CLOS in the static setting:
Let be a two-party functionality. Design a protocol that computationally (classical) UC (C-CUC) emulates against semi-honest adversaries. The protocol uses a semi-honest oblivious transfer (ShOT) protocol, which can be constructed assuming existence of enhanced trapdoor permutations.
Let be the “commit-and-prove” functionality of [15, Figure 8]. A protocol is constructed in -hybrid model that C-CUC emulates , assuming existence of a statistically binding and computationally hiding commitment scheme. Such a commitment scheme in turn can be constructed from a pseudorandom generator .
In -hybrid model, a generic complier is designed. Let be the -hybrid protocol after compilation. It is shown in [15, Proposition 8.1] that: for every classical adversary , there exists a classical adversary with running time polynomial in that of such that . That is, the interaction of with honest players running is identical to the interaction of with in the semi-honest model, i.e., .
It then follows that, by the UC composition theorem, C-CUC emulates in the -hybrid model.
We then show how to make the construction secure against quantum adversaries using proper quantum-resistant assumptions. The key observation is that the security proofs of the semi-honest protocol and of the protocol in the -hybrid model fall into our simple hybrid argument framework. Thus once we augment the computational assumptions to be quantum-resistant, they immediately become secure against quantum adversaries. This is stated more precisely below.
Observation 6 (CLOS proof structure).
In CLOS, the security proofs for the semi-honest protocol and the protocol for in -hybrid model against static adversaries consist of simple hybrid arguments with and .
Moreover, the underlying indistinguishable distributions in the CLOS arguments consist of either (i) switching between a real public key and a uniformly random string, (ii) changing the plaintext of an encryption, or (iii) changing the message in the commit phase of a commitment protocol.
From this observation, we get the corollary below.
Corollary 7 (CLOS—simple hybrids).
In the -hybrid model and under Assumption 1, there is a non-trivial protocol that UC-emulates in the presence of polynomial-time malicious static quantum adversaries.
Let be a well-formed two-party functionality. In the plain model, there is a protocol that UC-emulates in the presence of polynomial-time semi-honest static quantum adversaries under Assumption 2.
Observation 6 tells us there are two types of proofs in CLOS, so we only have to show both can be augmented to hold against quantum adversaries. On the one hand, simple hybrid arguments in CLOS still hold if we make assumptions 1 and 2, because the underlying distributions in these hybrid experiments will remain indistinguishable against quantum distinguishers. On the other hand, we know quantum UC composition also holds by Theorem 7.
More specifically, for the protocol in -hybrid model, the simply hybrid machines in its proof are related by switching the messages being committed. Hence protocol remains secure against malicious static quantum adversaries under Assumption 1. In the semi-honest setting, an OT protocol can be constructed from a dense crypto-system (Assumption 2), see Goldreich . Its proof consists of simply related machines that are related by either switching between a valid public key and a random string (when sender is corrupted) or switching the plaintext of an encryption (when receiver is corrupted). Therefore, this protocol C-QUC emulates against semi-honest quantum adversaries. Next in -hybrid model, the construction for an arbitrary is unconditionally secure, which, by Unruh’s lifting theorem, remains quantum-UC secure. Hence quantum UC composition theorem gives that there is a classical protocol that C-QUC emulates in the presence of semi-honest static quantum adversaries. ∎
Combining the previous arguments we can prove Theorem 1.
Proof of Theorem 1.
Fix a well-formed functionality and let be the protocol for in the semi-honest model guaranteed by the second part of Corollary 7. Now consider . We want to show that it C-QUC emulates . Theorem 8 tells us that it suffices to consider the classical dummy adversary . By [15, Proposition 8.1], the interaction of the dummy adversary with (in the hybrid model) is identical to the interaction of the adversary with (in the semi-honest model). By the security of in the semi-honest model, there exists an ideal-world adversary such that . Thus, securely emulates in the -hybrid model against malicious adversaries. By the quantum UC composition theorem, we can compose with the protocol for to get a protocol secure against malicious quantum adversaries in the -hybrid model. ∎
4.2 Realizing with Stand-alone Security
In this section, we construct a protocol that quantum stand-alone emulates . In the stand-alone model, is more commonly referred to as zero-knowledge argument of knowledge.
We will use a dense encryption scheme (Gen, Enc, Dec) as in Assumption 2. Note that Enc is a randomized algorithm and we denote by the encryption of a message under a public key using randomness , But unless when needed, we usually omit the randomness in the notation and write . We will also need a result of Watrous’s , where he showed that there exist classical zero-knowledge proofs for any NP language that are secure against any poly-time quantum verifiers. For completeness we give his definition (adapted to our terminology) of quantum computational zero-knowledge proof [72, Definition 7].
An interactive proof system for a language is quantum computational zero-knowledge if, for every poly-time QIM , there exists a poly-time QIM that satisfies the following requirements.
The verifier and simulator agree on the polynomially bounded functions and that specify the number of auxiliary input qubits and output qubits, respectively.
Let be the machine describing that interaction between and on input , and let be the simulator’s machine on input . Then the ensembles and are quantum computationally indistinguishable as per Definition 3.
Now that we have all building blocks ready, our construction of a classical ZKAoK protocol is as follows.
chooses at random, and sends
a commitment of : .
sends to .
sends string .
proves to that is indeed a commitment of using Watrous’s ZK protocol.
and set and interpret it as a public key. Phase 2 , holding an instance and a witness , encrypts under . Let . sends to .
proves to that encodes a witness of using Watrous’s ZK protocol. accepts if it accepts in this ZK protocol. Otherwise it rejects and halts.
Protocol quantum stand-alone-emulates .
The full proof appears in Sect. 4.2.1. We provide a brief and intuitive justification here. Roughly speaking, Phase 1 constitutes what may be called a “semi-simulatable” coin-flipping protocol. Specifically we can simulate a corrupted Prover. This implies that a simulator can “cheat” in Phase 1 and force the outcome to be a public key of which he knows a corresponding secret key , so that can decrypt to recover in the end. This allows us to show argument of knowledge (in our stand-alone model). On the other side, although generally we cannot simulate a corrupted verifier in Phase 1, we can guarantee that the outcome is uniformly random if the verifier behaves honestly. This is good enough to show zero-knowledge, because we can later encrypt an all-zero string and use the simulator for the ZK protocol in Phase 2 to produce a fake proof. In reality, a corrupted verifier may bias the coin-flipping outcome by aborting dependent on Prover’s message for example. This technical subtlety, nonetheless, is not hard to deal with. Intuitively the verifier only sees “less” information about the witness if he/she decides to abort in Phase 1.
Proof of Theorem 9: Quantum Stand-alone Secure ZKAoK
For the sake of clarity, we propose a non-interactive notion of simple hybrid argument, analogous to Def. 4, which formalizes a common structure in stand-alone security proofs.
Definition 10 (Simply related non-interactive machines).
We say two QTMs and are -simply related if there is a time- QTM and a pair of QTMs such that
(for two QTMs and , we say if they can be described by the same circuits),
Definition 11 (Simple hybrid argument (non-interactive version)).
Two machines and are related by a -simple hybrid argument of length if there is a sequence of intermediate machines such that each adjacent pair of machines, , is -simply related.
For any and , if two machines are related by a -simple hybrid argument of length , then the machines are -indistinguishable.
Suppose for contradiction, there exists a time- QTM with advice such that . Then by triangle inequality we can infer that there must exist some s.t. . However, by assumption and are (-simply related and in particular no time- QTMs can distinguish them with advantage greater than . ∎
Actually, the proof of our modular composition can be seen as a simple hybrid argument. Specifically in step 3, and are simply related by and .
We now prove Theorem 9 following the (non-interactive) simply hybrid argument framework.
Proof of Theorem 9.
We denote the two ZK proof systems in Phase 1 & 2 by ZK and ZK respectively. The two NP languages, formalized below, are denoted by and respectively.
The simulators of ZK and ZK are denoted by and respectively. We stress that Watrous’s ZK protocol has negligible completeness and soundness errors, and in addition the simulator succeeds for arbitrary quantum poly-time verifiers on true instances, except with negligible probability.
Prover is Corrupted. For any real-world adversary , we construct an ideal-world adversary .
Prover is corrupted
Input: as a black box; security parameter .
initializes with whatever input
state it receives.
In Phase 1, does the following:
Compute and send it to
Obtain from .
Run Gen to obtain .
Send to .
Run the simulator for ZK with input .
In Phase 2, obtains and executes ZK with . If ZK succeeds, decrypts to get and sends to .
outputs whatever outputs.
Let be the QTM of ideal-world interaction between and ; and let describing real-world interaction between and .
We define a sequence of machines to form a hybrid argument:
. Specifically, on any input state, the output has two parts: one part corresponds to the adversary ’s output state, and the other corresponds to the dummy verifier’s output, which is accepting if obtained by in step 3 is a valid witness, i.e., .
: differ from only in that always let the dummy verifier accept as long as ZK succeeds.
: differs from in the message in Phase 1: instead of sending , in , is set to be a uniformly random string.
: in the first step of Phase 1, commits to instead of committing to .
: instead of running simulator , executes the actual ZK protocol. Observe that .
Now it is easy to see: