Skip to main content
Springer Nature Link
Log in

Quantum CCA-Secure PKE, Revisited

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Security against chosen-ciphertext attacks (CCA) concerns privacy of messages even if the adversary has access to the decryption oracle. While the classical notion of CCA security seems to be strong enough to capture many attack scenarios, it falls short of preserving the privacy of messages in the presence of quantum decryption queries. Boneh and Zhandry (CRYPTO 2013) defined the notion of quantum CCA (qCCA) security to address quantum decryption queries. However, their construction is based on an exotic cryptographic primitive, for which only one instantiation is known. In this work, we comprehensively study qCCA security and obtain the following results:

  • We show that key-dependent message secure encryption (along with PKE) is sufficient to realize qCCA-secure PKE. This yields the first construction of qCCA-secure PKE from the LPN assumption.

  • We prove that hash proof systems imply qCCA-secure PKE, which results in the first instantiation of PKE with qCCA security from group actions.

  • We extend the notion of adaptive TDFs (ATDFs) to the quantum setting by introducing quantum ATDFs, and we prove that quantum ATDFs are sufficient to realize qCCA-secure PKE.

  • We show that a single-bit qCCA-secure PKE is sufficient to realize a multi-bit qCCA-secure PKE by extending the completeness of bit encryption for CCA security to the quantum setting.

  • We define quantum CCA security for predicate encryption, and we show that the generic framework of Koppula and Waters (CRYPTO 2019) for constructing CCA-secure PKE can also be used to realize quantum CCA security for predicate encryption.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Price includes VAT (Canada)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Explore related subjects

Discover the latest articles, books and news in related subjects, suggested using machine learning.

Notes

  1. Key Encapsulation Mechanism and Data Encapsulation Mechanism, respectively.

  2. Sometimes such changes are made implicitly to the decryption oracle, as was the case in the CCA security proof of [51] sketched above; but we have to make these modifications more explicit in our qCCA proofs in order to apply the OW2H lemma.

  3. The security definition for signature schemes which are one-time unforgeable, and not strongly unforgeable, is the same as Definition 2.4 except we replace the check “\(({\textsf {m}}^*, \sigma ^*) \ne ({\textsf {m}}, \sigma )\)” with “\({\textsf {m}}^* \ne {\textsf {m}}\)”. In other words, such “weakly” unforgeable signatures do not guarantee that the adversary \(\mathcal {A}\) cannot derive different valid signatures \(\sigma ^* \ne \sigma \) for the same queried message \({\textsf {m}}\).

  4. Also sometimes referred to as “encapsulated key” in this paper.

  5. Technically, the spaces \(\mathcal {M}\), \(\mathcal {X} \) and \(\mathcal {C} \) are supposed to be parameterized by the security parameter \(\lambda \). However we ignore this detail in the paper for notational simplicity but without loss of generality.

  6. As explained in [39, Remark 2.1], sticking to a deterministic \(\textsf{KGen} \) is not really a restriction since the key generation algorithm of any PE scheme can be made deterministic with minimal overhead using a pseudorandom function.

  7. As remarked in [39, Footnote 2], the original security definitions of predicate encryption in the literature (e.g., [13, 34]) required the adversary to not be able to tell which of the attributes \(\textsf{x} _0\) or \(\textsf{x} _1\) was used in the challenge encryption – even when the adversary has secret keys corresponding to predicates \(\textsf{C} \) with \(\textsf{C} (\textsf{x} _0) = \textsf{C} (\textsf{x} _1)\). On the other hand, one-sided predicate encryption gives us a weaker guarantee where this secrecy of attributes holds only w.r.t. \(\textsf{C} (\textsf{x} _0) = \textsf{C} (\textsf{x} _1) = 0\), but not when \(\textsf{C} (\textsf{x} _0) = \textsf{C} (\textsf{x} _1) = 1\); hence the term “one-sided” security.

  8. The only difference is that we require the computational properties to hold in the presence of QPT adversaries (i.e., post-quantum security).

  9. Specifically, \((\sigma ^*, w^*)\) is generated in the pre-challenge phase (which is going to be used in the challenge phase). However, this change does not affect \(\mathcal {A}\)’s view.

  10. As usual, ciphertexts equal to the challenge ciphertext \({\textsf {ct}}^*\) will also be rejected.

  11. For a fixed \(\sigma \in L\), finding a corresponding witness w may not be efficient. However, note that \(\mathcal {D} '\) is potentially inefficient since our proof relies on a statistical property of hash proof systems, namely \(\varepsilon '\)-smoothness (Definition 3.1).

  12. This correctness notion is analogous to the almost-all-keys correctness defined for PKE schemes in Section 2.

  13. The arithmetic is done over GF\((2^{4\lambda })\) and \(\textbf{h}\) is interpreted as an element of \(\{0, 1\}^{4\lambda }\).

  14. Note that we no longer require \({\textsf {sk}}^0\) in this modified decapsulation oracle.

  15. It is worth pointing out that in the bounds obtained on the classical CCA analog of \(\Pr [M^{(2b)}_4]\) in [37, Lemma 1], there is a (1/q) multiplicative factor, since in their reduction, the CPA adversary (with respect to \(\textsf{KEM}\)) chooses one of \(\mathcal {A}\)’s decapsulation queries uniformly at random. However, we do not have such a factor in our bounds since by applying Lemma 2.1, we are already measuring one of \(\mathcal {A}\)’s decapsulation queries uniformly at random; i.e., this “random guessing” is accounted for in the definition of \(P_{\text {guess}} = \Pr [M^{(2b)}_4]\).

  16. Such a scheme is implied by post-quantum one-way functions.

  17. Specifically, the pair \(({\textsf {ct}}^*, {\textsf {k}}^*)\) is generated by running \(\textsf {Encaps} ({\textsf {pk}})\) before \(\mathcal {A}\) gets to choose a pair of messages \(({\textsf {m}}_0, {\textsf {m}}_1)\). However, this change does not affect \(\mathcal {A}\)’s view compared to the original qCCA game.

  18. It is not hard to see that the Goldreich-Levin theorem relating the one-wayness of a TDF to the hardcore bit security also applies when the TDF inverter and the bit distinguisher have quantum access to the corresponding TDF inversion oracle. This is because the probability-theoretic analysis in the original Goldreich-Levin theorem [30] is agnostic of any oracle access (be it classical or quantum) that the inverter and distinguisher have; the oracles would only be needed to ensure that the inverter can properly simulate the distinguisher’s view.

  19. We “pre-compute” the randomness \( (x_i)_{i \in [\lambda ]}\) (used to encrypt \(\mathcal {A}\)’s chosen messages in the challenge phase) already in the pre-challenge phase. But this does not affect \(\mathcal {A}\)’s view in any way compared to the original qCCA game.

  20. In contrast to qCCA security proofs in earlier sections (e.g., Section 3) here we are first modifying the decryption oracle in the post-challenge phase followed by the pre-challenge phase. This step is crucial in our analysis as will be seen later on.

  21. When F is the zero function, the notions of (q)DCCA security and (q)CCA security are in-fact equivalent.

  22. 1-bounded CCA-secure PKE can be built from any CPA-secure PKE [21]. As observed in [28], any CPA-secure PKE can be made well-spread (Section 2) by appending independent random strings to the end of ciphertexts, and the CPA to 1-bounded CCA transformation of  [21] preserves well-spreadness.

  23. We make this assumption of perfect correctness for ease of exposition. One can extend our following qCCA security proof to the case when the underlying PKE schemes are almost-all-keys-correct, similar to our qCCA security analysis in Section 4.

  24. \(\ell \) denotes the bit-length of \((r_A, r_B, {\textsf {m}}_b)\).

  25. Technically, in the context of applying Lemma 2.1, the probability \(P_{\text {guess}}\) corresponds to the measured ciphertext also satisfying \(\overline{\textsf {Dec}}({\textsf {sk}}, {\textsf {ct}}) \ne \bot \), in addition to being a bad-query. But we have \(P_{\text {guess}}\) to be trivially upper-bounded by \(\Pr [M^{(3)}]\).

  26. In the context of Lemma 2.1, note that the case \(\overline{i} > i\) translates to the setting when the oracle algorithm A (simulating \(\overline{\text {Game}}\) 6 towards \(\mathcal {A}\)) makes less than \(\overline{i}\) queries to its quantum oracle, and hence is accounted for by the generalized OW2H lemma.

  27. As noted previously, we make this assumption for the ease of exposition. One can extend our analysis to the case where \(\textsf{PKE} _{1-bit}\) satisfies almost-all-keys correctness.

  28. This is essentially the same construction as in [33, Appendix B] (for classical CCA security).

  29. Here “cKG” denotes that the adversary can only make classical queries to the \(\underline{\textsf{KG}}\textsf{en}\) oracle.

  30. It is straightforward to see that the transform used by Koppula and Waters in [39, Section 2.1] to provide “recovery from randomness” property to any PE scheme with one-sided CPA security also applies to CPA-secure PKE schemes in general. So we can assume without loss of generality that CPA-secure PKE schemes have randomness recovery as well.

  31. Note that in this reduction, \(\mathcal {B} ^1_{sig}\) does not query its one-time signing oracle in the SUF security game at all. So technically, we could have relied on a weaker security property of \(\textsf{SIG} \) (weaker than one-time strong unforgeability) to argue the indistinguishability of Games 1 and 2a.

References

  1. Behzad Abdolmaleki, Céline Chevalier, Ehsan Ebrahimi, Giulio Malavolta, and Quoc-Huy Vu. On quantum simulation-soundness. IACR Commun. Cryptol., 1(4):18, 2024.

    Google Scholar 

  2. Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H)IBE in the standard model. In Henri Gilbert, editor, Advances in Cryptology – EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer Science, pages 553–572. Springer, Heidelberg, May / June 2010.

  3. Navid Alamati, Luca De Feo, Hart Montgomery, and Sikhar Patranabis. Cryptographic group actions and applications. In Shiho Moriai and Huaxiong Wang, editors, Advances in Cryptology – ASIACRYPT 2020, Part II, volume 12492 of Lecture Notes in Computer Science, pages 411–439. Springer, Heidelberg, December 2020.

  4. Andris Ambainis, Mike Hamburg, and Dominique Unruh. Quantum security proofs using semi-classical oracles. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology – CRYPTO 2019, Part II, volume 11693 of Lecture Notes in Computer Science, pages 269–295. Springer, Heidelberg, August 2019.

  5. Prabhanjan Ananth, Luowen Qian, and Henry Yuen. Cryptography from pseudorandom quantum states. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology – CRYPTO 2022, Part I, volume 13507 of Lecture Notes in Computer Science, pages 208–236. Springer, Heidelberg, 2022.

    Chapter  Google Scholar 

  6. Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Shai Halevi, editor, Advances in Cryptology – CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 595–618. Springer, Heidelberg, 2009.

    Chapter  Google Scholar 

  7. Khashayar Barooti, Alex B. Grilo, Loïs Huguenin-Dumittan, Giulio Malavolta, Or Sattath, Quoc-Huy Vu, and Michael Walter. Public-key encryption with quantum keys. In Guy N. Rothblum and Hoeteck Wee, editors, TCC 2023, Part IV, volume 14372 of Lecture Notes in Computer Science, pages 198–227. Springer, 2023.

  8. James Bartusek, Andrea Coladangelo, Dakshita Khurana, and Fermi Ma. On the round complexity of secure quantum computation. In Tal Malkin and Chris Peikert, editors, Advances in Cryptology – CRYPTO 2021, Part I, volume 12825 of Lecture Notes in Computer Science, pages 406–435, Virtual Event, August 2021. Springer, Heidelberg.

  9. Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM Journal on Computing, 26(5):1510–1523, 1997.

    Article  MathSciNet  Google Scholar 

  10. Ritam Bhaumik, Xavier Bonnetain, André Chailloux, Gaëtan Leurent, María Naya-Plasencia, André Schrottenloher, and Yannick Seurin. QCB: Efficient quantum-secure authenticated encryption. In Mehdi Tibouchi and Huaxiong Wang, editors, Advances in Cryptology – ASIACRYPT 2021, Part I, volume 13090 of Lecture Notes in Computer Science, pages 668–698. Springer, Heidelberg, 2021.

    Chapter  Google Scholar 

  11. Dan Boneh, Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-based encryption. SIAM J. Comput., 36(5):1301–1328, 2007.

    Article  MathSciNet  Google Scholar 

  12. Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark Zhandry. Random oracles in a quantum world. In Dong Hoon Lee and Xiaoyun Wang, editors, Advances in Cryptology – ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer Science, pages 41–69. Springer, Heidelberg, December 2011.

  13. Dan Boneh and Brent Waters. Conjunctive, subset, and range queries on encrypted data. In Salil P. Vadhan, editor, TCC 2007: 4th Theory of Cryptography Conference, volume 4392 of Lecture Notes in Computer Science, pages 535–554. Springer, Heidelberg, 2007.

    Google Scholar 

  14. Dan Boneh and Mark Zhandry. Quantum-secure message authentication codes. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology – EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science, pages 592–608. Springer, Heidelberg, 2013.

    Chapter  Google Scholar 

  15. Dan Boneh and Mark Zhandry. Secure signatures and chosen ciphertext security in a quantum computing world. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology – CRYPTO 2013, Part II, volume 8043 of Lecture Notes in Computer Science, pages 361–379. Springer, Heidelberg, 2013.

    Chapter  Google Scholar 

  16. Zvika Brakerski and Vinod Vaikuntanathan. Circuit-ABE from LWE: Unbounded attributes and semi-adaptive security. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology – CRYPTO 2016, Part III, volume 9816 of Lecture Notes in Computer Science, pages 363–384. Springer, Heidelberg, 2016.

    Chapter  Google Scholar 

  17. Anne Broadbent, Zhengfeng Ji, Fang Song, and John Watrous. Zero-knowledge proof systems for QMA. In Irit Dinur, editor, 57th Annual Symposium on Foundations of Computer Science, pages 31–40. IEEE Computer Society Press, October 2016.

  18. Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. CSIDH: An efficient post-quantum commutative group action. In Thomas Peyrin and Steven Galbraith, editors, Advances in Cryptology – ASIACRYPT 2018, Part III, volume 11274 of Lecture Notes in Computer Science, pages 395–427. Springer, Heidelberg, 2018.

    Chapter  Google Scholar 

  19. Céline Chevalier, Ehsan Ebrahimi, and Quoc Huy Vu. On security notions for encryption in a quantum world. In Takanori Isobe and Santanu Sarkar, editors, INDOCRYPT 2022, volume 13774 of LNCS, pages 592–613. Springer, 2022.

  20. Andrea Coladangelo. Quantum trapdoor functions from classical one-way functions. Cryptology ePrint Archive, Report 2023/282, 2023. https://eprint.iacr.org/2023/282.

  21. Ronald Cramer, Goichiro Hanaoka, Dennis Hofheinz, Hideki Imai, Eike Kiltz, Rafael Pass, abhi shelat, and Vinod Vaikuntanathan. Bounded CCA2-secure encryption. In Kaoru Kurosawa, editor, Advances in Cryptology – ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, pages 502–518. Springer, Heidelberg, 2007.

    Chapter  Google Scholar 

  22. Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Lars R. Knudsen, editor, Advances in Cryptology – EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 45–64. Springer, Heidelberg, April / May 2002.

  23. Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167–226, 2003.

    Article  MathSciNet  Google Scholar 

  24. Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography (extended abstract). In 23rd Annual ACM Symposium on Theory of Computing, pages 542–552. ACM Press, May 1991.

  25. Jelle Don, Serge Fehr, Christian Majenz, and Christian Schaffner. Online-extractability in the quantum random-oracle model. In Orr Dunkelman and Stefan Dziembowski, editors, Advances in Cryptology – EUROCRYPT 2022, Part III, volume 13277 of Lecture Notes in Computer Science, pages 677–706. Springer, Heidelberg, May / June 2022.

  26. Cynthia Dwork, Moni Naor, and Omer Reingold. Immunizing encryption schemes from decryption errors. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 342–360. Springer, Heidelberg, 2004.

    Chapter  Google Scholar 

  27. Serge Fehr, Jonathan Katz, Fang Song, Hong-Sheng Zhou, and Vassilis Zikas. Feasibility and completeness of cryptographic tasks in the quantum world. In Amit Sahai, editor, TCC 2013: 10th Theory of Cryptography Conference, volume 7785 of Lecture Notes in Computer Science, pages 281–296. Springer, Heidelberg, 2013.

    Google Scholar 

  28. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryption schemes. Journal of Cryptology, 26(1):80–101, 2013.

    Article  MathSciNet  Google Scholar 

  29. Tommaso Gagliardoni, Andreas Hülsing, and Christian Schaffner. Semantic security and indistinguishability in the quantum world. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology – CRYPTO 2016, Part III, volume 9816 of Lecture Notes in Computer Science, pages 60–89. Springer, Heidelberg, 2016.

    Chapter  Google Scholar 

  30. Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In 21st Annual ACM Symposium on Theory of Computing, pages 25–32. ACM Press, May 1989.

  31. Shuai Han, Shengli Liu, Lin Lyu, and Dawu Gu. Tight leakage-resilient CCA-security from quasi-adaptive hash proof system. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology – CRYPTO 2019, Part II, volume 11693 of Lecture Notes in Computer Science, pages 417–447. Springer, Heidelberg, 2019.

    Chapter  Google Scholar 

  32. Susan Hohenberger, Venkata Koppula, and Brent Waters. Chosen ciphertext security from injective trapdoor functions. In Daniele Micciancio and Thomas Ristenpart, editors, Advances in Cryptology – CRYPTO 2020, Part I, volume 12170 of Lecture Notes in Computer Science, pages 836–866. Springer, Heidelberg, 2020.

    Chapter  Google Scholar 

  33. Susan Hohenberger, Allison B. Lewko, and Brent Waters. Detecting dangerous queries: A new approach for chosen ciphertext security. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology – EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 663–681. Springer, Heidelberg, 2012.

    Chapter  Google Scholar 

  34. Jonathan Katz, Amit Sahai, and Brent Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In Nigel P. Smart, editor, Advances in Cryptology – EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 146–162. Springer, Heidelberg, 2008.

    Chapter  Google Scholar 

  35. Eike Kiltz, Daniel Masny, and Krzysztof Pietrzak. Simple chosen-ciphertext security from low-noise LPN. In Hugo Krawczyk, editor, PKC 2014: 17th International Conference on Theory and Practice of Public Key Cryptography, volume 8383 of Lecture Notes in Computer Science, pages 1–18. Springer, Heidelberg, 2014.

    Chapter  Google Scholar 

  36. Eike Kiltz, Payman Mohassel, and Adam O’Neill. Adaptive trapdoor functions and chosen-ciphertext security. In Henri Gilbert, editor, Advances in Cryptology – EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer Science, pages 673–692. Springer, Heidelberg, May / June 2010.

  37. Fuyuki Kitagawa, Takahiro Matsuda, and Keisuke Tanaka. CCA security and trapdoor functions via key-dependent-message security. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology – CRYPTO 2019, Part III, volume 11694 of Lecture Notes in Computer Science, pages 33–64. Springer, Heidelberg, 2019.

    Chapter  Google Scholar 

  38. Fuyuki Kitagawa, Ryo Nishimaki, and Takashi Yamakawa. Secure software leasing from standard assumptions. In Kobbi Nissim and Brent Waters, editors, TCC 2021: 19th Theory of Cryptography Conference, Part I, volume 13042 of Lecture Notes in Computer Science, pages 31–61. Springer, Heidelberg, 2021.

    Google Scholar 

  39. Venkata Koppula and Brent Waters. Realizing chosen ciphertext security generically in attribute-based encryption and predicate encryption. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology – CRYPTO 2019, Part II, volume 11693 of Lecture Notes in Computer Science, pages 671–700. Springer, Heidelberg, 2019.

    Chapter  Google Scholar 

  40. Xu Liu and Mingqiang Wang. QCCA-secure generic key encapsulation mechanism with tighter security in the quantum random oracle model. In Juan Garay, editor, PKC 2021: 24th International Conference on Theory and Practice of Public Key Cryptography, Part I, volume 12710 of Lecture Notes in Computer Science, pages 3–26. Springer, Heidelberg, 2021.

    Chapter  Google Scholar 

  41. Daniele Micciancio and Chris Peikert. Hardness of SIS and LWE with small parameters. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology – CRYPTO 2013, Part I, volume 8042 of Lecture Notes in Computer Science, pages 21–39. Springer, Heidelberg, 2013.

    Chapter  Google Scholar 

  42. Tomoyuki Morimae and Takashi Yamakawa. One-wayness in quantum cryptography. Cryptology ePrint Archive, Report 2022/1336, 2022. https://eprint.iacr.org/2022/1336.

  43. Tomoyuki Morimae and Takashi Yamakawa. Quantum commitments and signatures without one-way functions. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology – CRYPTO 2022, Part I, volume 13507 of Lecture Notes in Computer Science, pages 269–295. Springer, Heidelberg, 2022.

    Chapter  Google Scholar 

  44. Steven Myers and abhi shelat. Bit encryption is complete. In 50th Annual Symposium on Foundations of Computer Science, pages 607–616. IEEE Computer Society Press, October 2009.

  45. Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In 22nd Annual ACM Symposium on Theory of Computing, pages 427–437. ACM Press, May 1990.

  46. Michael Nielsen and Isaac Chuang. Quantum Computation and Quantum Information. Cambridge University Press, 2000.

    Google Scholar 

  47. Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. In Richard E. Ladner and Cynthia Dwork, editors, 40th Annual ACM Symposium on Theory of Computing, pages 187–196. ACM Press, May 2008.

  48. Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Joan Feigenbaum, editor, Advances in Cryptology – CRYPTO’91, volume 576 of Lecture Notes in Computer Science, pages 433–444. Springer, Heidelberg, 1992.

    Google Scholar 

  49. Bhaskar Roberts and Mark Zhandry. Franchised quantum money. In Mehdi Tibouchi and Huaxiong Wang, editors, Advances in Cryptology – ASIACRYPT 2021, Part I, volume 13090 of Lecture Notes in Computer Science, pages 549–574. Springer, Heidelberg, 2021.

    Chapter  Google Scholar 

  50. John Rompel. One-way functions are necessary and sufficient for secure signatures. In 22nd Annual ACM Symposium on Theory of Computing, pages 387–394. ACM Press, May 1990.

  51. Alon Rosen and Gil Segev. Chosen-ciphertext security via correlated products. In Omer Reingold, editor, TCC 2009: 6th Theory of Cryptography Conference, volume 5444 of Lecture Notes in Computer Science, pages 419–436. Springer, Heidelberg, 2009.

    Google Scholar 

  52. Amit Sahai and Brent R. Waters. Fuzzy identity-based encryption. In Ronald Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 457–473. Springer, Heidelberg, 2005.

    Chapter  Google Scholar 

  53. Tianshu Shan, Jiangxia Ge, and Rui Xue. Qcca-secure generic transformations in the quantum random oracle model. In Alexandra Boldyreva and Vladimir Kolesnikov, editors, PKC 2023, Part I, volume 13940 of LNCS, pages 36–64. Springer, 2023.

  54. Victor Shoup. Why chosen ciphertext security matters, 1998. IBM TJ Watson Research Center.

  55. Dominique Unruh. Revocable quantum timed-release encryption. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology – EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 129–146. Springer, Heidelberg, 2014.

    Chapter  Google Scholar 

  56. Dominique Unruh. Post-quantum verification of Fujisaki-Okamoto. In Shiho Moriai and Huaxiong Wang, editors, Advances in Cryptology – ASIACRYPT 2020, Part I, volume 12491 of Lecture Notes in Computer Science, pages 321–352. Springer, Heidelberg, 2020.

    Chapter  Google Scholar 

  57. Keita Xagawa and Takashi Yamakawa. (Tightly) QCCA-secure key-encapsulation mechanism in the quantum random oracle model. In Jintai Ding and Rainer Steinwandt, editors, Post-Quantum Cryptography - 10th International Conference, PQCrypto 2019, pages 249–268. Springer, Heidelberg, 2019.

    Chapter  Google Scholar 

  58. Mark Zhandry. How to construct quantum random functions. In 53rd Annual Symposium on Foundations of Computer Science, pages 679–687. IEEE Computer Society Press, October 2012.

  59. Mark Zhandry. How to record quantum queries, and applications to quantum indifferentiability. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology – CRYPTO 2019, Part II, volume 11693 of Lecture Notes in Computer Science, pages 239–268. Springer, Heidelberg, 2019.

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. VISA Research, Foster City, USA

    Navid Alamati

  2. SandboxAQ, London, UK

    Varun Maram

Authors
  1. Navid Alamati
    View author publications

    Search author on:PubMed Google Scholar

  2. Varun Maram
    View author publications

    Search author on:PubMed Google Scholar

Corresponding author

Correspondence to Varun Maram.

Additional information

Communicated by Serge Fehr.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Parts of this work was done while VM was an intern at VISA Research (and a PhD student at ETH Zürich).

This paper was reviewed by Ehsan Ebrahimi and Quoc-Huy Vu.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alamati, N., Maram, V. Quantum CCA-Secure PKE, Revisited. J Cryptol 38, 33 (2025). https://doi.org/10.1007/s00145-025-09555-4

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-025-09555-4

Keywords