On Quantum Chosen-Ciphertext Attacks and Learning with Errors

Authors Gorjan Alagic, Stacey Jeffery, Maris Ozols, Alexander Poremba

Thumbnail PDF


  • Filesize: 0.64 MB
  • 23 pages

Document Identifiers

Author Details

Gorjan Alagic
  • QuICS, University of Maryland, MD, USA
  • NIST, Gaithersburg, MD, USA
Stacey Jeffery
  • QuSoft, Amsterdam, Netherlands
  • CWI, Amsterdam, Netherlands
Maris Ozols
  • QuSoft, Amsterdam, Netherlands
  • University of Amsterdam, Netherlands
Alexander Poremba
  • Computing and Mathematical Sciences, Caltech, Pasadena, CA, USA


We thank Ronald de Wolf for helpful discussions and Jop Briët for Lemma 25.

Cite AsGet BibTex

Gorjan Alagic, Stacey Jeffery, Maris Ozols, and Alexander Poremba. On Quantum Chosen-Ciphertext Attacks and Learning with Errors. In 14th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2019). Leibniz International Proceedings in Informatics (LIPIcs), Volume 135, pp. 1:1-1:23, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)


Quantum computing is a significant threat to classical public-key cryptography. In strong "quantum access" security models, numerous symmetric-key cryptosystems are also vulnerable. We consider classical encryption in a model which grants the adversary quantum oracle access to encryption and decryption, but where the latter is restricted to non-adaptive (i.e., pre-challenge) queries only. We define this model formally using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it QCCA1 in analogy to the classical CCA1 security model. Using a bound on quantum random-access codes, we show that the standard PRF-based encryption schemes are QCCA1-secure when instantiated with quantum-secure primitives. We then revisit standard IND-CPA-secure Learning with Errors (LWE) encryption and show that leaking just one quantum decryption query (and no other queries or leakage of any kind) allows the adversary to recover the full secret key with constant success probability. In the classical setting, by contrast, recovering the key requires a linear number of decryption queries. The algorithm at the core of our attack is a (large-modulus version of) the well-known Bernstein-Vazirani algorithm. We emphasize that our results should not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones.

Subject Classification

ACM Subject Classification
  • Theory of computation → Quantum computation theory
  • Security and privacy → Cryptanalysis and other attacks
  • quantum chosen-ciphertext security
  • quantum attacks
  • learning with errors


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Erdem Alkim, Joppe W. Bos, Léo Ducas, Patrick Longa, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Chris Peikert, Ananth Raghunathan, Douglas Stebila, Karen Easterbrook, and Brian LaMacchia. FrodoKEM - Learning With Errors Key Encapsulation, 2017. URL: https://frodokem.org/files/FrodoKEM-specification-20171130.pdf.
  2. Andris Ambainis, Debbie Leung, Laura Mancinska, and Maris Ozols. Quantum random access codes with shared randomness, 2008. URL: http://arxiv.org/abs/0810.2937.
  3. Ethan Bernstein and Umesh Vazirani. Quantum complexity theory. SIAM Journal on Computing, 26(5):1411-1473, 1997. URL: http://dx.doi.org/10.1137/S0097539796300921.
  4. Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Hugo Krawczyk, editor, Advances in Cryptology - CRYPTO '98, pages 1-12. Springer, 1998. URL: http://dx.doi.org/10.1007/BFb0055716.
  5. Dan Boneh and Mark Zhandry. Quantum-secure message authentication codes. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology - EUROCRYPT 2013, pages 592-608. Springer, 2013. URL: http://dx.doi.org/10.1007/978-3-642-38348-9_35.
  6. Dan Boneh and Mark Zhandry. Secure signatures and chosen ciphertext security in a quantum computing world. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013, pages 361-379. Springer, 2013. URL: http://dx.doi.org/10.1007/978-3-642-40084-1_21.
  7. Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low 𝖳-gate complexity. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology - CRYPTO 2015, pages 609-629. Springer, 2015. URL: http://dx.doi.org/10.1007/978-3-662-48000-7_30.
  8. Lily Chen, Stephen Jordan, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray Perlner, and Daniel Smith-Tone. Report on post-quantum cryptography. Technical report, National Institute of Standards and Technology, 2016. URL: http://dx.doi.org/10.6028/NIST.IR.8105.
  9. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Advances in Cryptography - CRYPTO 1999, pages 537-554, 1999. Google Scholar
  10. Tommaso Gagliardoni, Andreas Hülsing, and Christian Schaffner. Semantic security and indistinguishability in the quantum world. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology - CRYPTO 2016, pages 60-89. Springer, 2016. URL: http://dx.doi.org/10.1007/978-3-662-53015-3_3.
  11. Oded Goldreich. Foundations of Cryptography: Volume 2, Basic Applications. Cambridge University Press, Cambridge, UK, 2009. Google Scholar
  12. Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random functions. Journal of the ACM, 33(4):792-807, 1986. URL: http://dx.doi.org/10.1145/6490.6503.
  13. Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In Proceedings of the Twenty-first Annual ACM Symposium on Theory of Computing, STOC '89, pages 25-32, New York, NY, USA, 1989. ACM. URL: http://dx.doi.org/10.1145/73007.73010.
  14. Alex B. Grilo, Iordanis Kerenidis, and Timo Zijlstra. Learning with errors is easy with quantum samples, 2017. URL: http://arxiv.org/abs/1702.08255.
  15. Marc Kaplan, Gaëtan Leurent, Anthony Leverrier, and María Naya-Plasencia. Breaking symmetric cryptosystems using quantum period finding. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology - CRYPTO 2016, pages 207-237. Springer, 2016. URL: http://dx.doi.org/10.1007/978-3-662-53008-5_8.
  16. Hidenori Kuwakado and Masakatu Morii. Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In 2010 IEEE International Symposium on Information Theory, pages 2682-2685. IEEE, 2010. URL: http://dx.doi.org/10.1109/ISIT.2010.5513654.
  17. Hidenori Kuwakado and Masakatu Morii. Security on the quantum-type Even-Mansour cipher. In 2012 International Symposium on Information Theory and its Applications, pages 312-316. IEEE, 2012. URL: https://ieeexplore.ieee.org/document/6400943/.
  18. Richard Lindner and Chris Peikert. Better key sizes (and attacks) for LWE-based encryption. In Aggelos Kiayias, editor, Topics in Cryptology - CT-RSA 2011, pages 319-339, Berlin, Heidelberg, 2011. Springer. URL: http://dx.doi.org/10.1007/978-3-642-19074-2_21.
  19. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. A toolkit for ring-LWE cryptography. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology - EUROCRYPT 2013, pages 35-54. Springer, 2013. URL: http://dx.doi.org/10.1007/978-3-642-38348-9_3.
  20. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. Journal of the ACM, 60(6):43:1-43:35, November 2013. URL: http://dx.doi.org/10.1145/2535925.
  21. Ashwin Nayak. Optimal lower bounds for quantum automata and random access codes. In 40th Annual Symposium on Foundations of Computer Science, pages 369-376, 1999. URL: http://dx.doi.org/10.1109/SFFCS.1999.814608.
  22. NIST. Post-Quantum Cryptography, 2017. URL: https://csrc.nist.gov/projects/post-quantum-cryptography.
  23. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6):34:1-34:40, 2005. URL: http://dx.doi.org/10.1145/1568318.1568324.
  24. Thomas Santoli and Christian Schaffner. Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation, 17(1&2):65-78, 2017. URL: http://dx.doi.org/10.26421/QIC17.1-2.
  25. Peter W. Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pages 124-134. IEEE, 1994. URL: http://dx.doi.org/10.1109/SFCS.1994.365700.
  26. Daniel R. Simon. On the power of quantum computation. SIAM Journal on Computing, 26(5):1474-1483, 1997. URL: http://dx.doi.org/10.1137/S0097539796298637.
  27. Nicole Tomczak-Jaegermann. The moduli of smoothness and convexity and the Rademacher averages of the trace classes S_p (1 ≤ p < ∞). Studia Mathematica, 50(2):163-182, 1974. URL: http://eudml.org/doc/217886.
  28. Mark Zhandry. How to construct quantum random functions. In 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, pages 679-687. IEEE, 2012. URL: http://dx.doi.org/10.1109/FOCS.2012.37.
  29. Mark Zhandry. A note on quantum-secure PRPs, 2016. URL: http://arxiv.org/abs/1611.05564.
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail