1 Introduction

At its core, a security definition is a set of mathematical conditions, and a security proof consists in showing that these conditions hold for a given protocol. Given various security definitions, one may analyze which are stronger and weaker by proving reductions or finding separating examples. This however does not tell us which definitions one should use, since too weak definitions may have security issues and too strong definitions may exclude protocols that are arguably secure. For example, \(\mathsf{IND}\text{-}\mathsf{CCA2}\) is often considered an unnecessarily strong security definition, since taking a scheme which is \(\mathsf{IND}\text{-}\mathsf{CCA2}\) and appending a bit to the ciphertext results in a new encryption scheme that is arguably as secure as the original scheme, but does not satisfy \(\mathsf{IND}\text{-}\mathsf{CCA2}\) [15, 17]. In this work we take a more critical approach to defining security. We ask what criteria a security definition needs to satisfy that are both necessary and sufficient conditions to call a protocol “secure”. We then apply them to the problem of encrypting and authenticating quantum messages with computational security in the symmetric-key setting.

1.1 A Security Desideratum

Operational Security. Common security definitions for encryption and authentication found in the literature are game-based, i.e., they require that an adversary cannot win a game such as guessing what message has been encrypted given access to certain oracles, see, e.g., [8] and [24] for comparisons of various such games in the public-key and private-key settings, respectively. These have been adapted for transmitting quantum messages: a definition for \(\textsf {QCPA}\) has been proposed in [11], \(\mathsf{QCCA1}\) in [1], and \(\mathsf{QCCA2}\) as well as notions of quantum unforgeability and quantum authenticated encryption in [2]. These are just some of the security games one can imagine—in the classical, symmetric-key setting, [24] analyzes 18 different security notions. A natural question is then to ask which of these games are the relevant ones, for which ones is it both necessary and sufficient that an adversary cannot win them. And the general answer is: we do not know.

Through such cryptographic protocols one wishes to prevent an adversary from learning some part of a message or modifying a message undetected. But it is generally unclear how such game-based security definitions relate to these operational notions—we refer to [32] for a more in-depth critique of game-based security. Instead, one should directly define security operationally.Footnote 1 In this work we follow the constructive paradigm of [28, 30, 31], and define a protocol to be secure if it constructs a channel with the desired properties, e.g., only leaks the message size or only allows the adversary to block the message, but not change it or insert new messages.

Composable Security. A second drawback of the definitions proposed so far in the literature for computational security of quantum message transmission [1, 2, 11] is that they are not (proven to be) composable. A long history of work on composable security has shown that analyzing a protocol in an isolated setting does not imply that it is actually secure when one considers the environment in which it is used. When performing such a composable security analysis, one sometimes finds that the definitions used are inappropriate but the protocols are actually secure like for quantum key distribution [10, 25, 39], that the definitions are still secure (up to a loss of security parameter) like for delegated quantum computation [18], or that not only the definitions but also the protocols are insecure like in relativistic and bounded storage bit commitment and (biased) coin tossing [44].Footnote 2 It is thus necessary for a protocol to be proven to satisfy a composable security definition before it may be considered (provably) secure and safely used in an arbitrary environment.

Finite Security. A third problem with the aforementioned security definitions is that they are all asymptotic. This means that the protocols have a security parameter \(k \in \mathbb {N}\)—formally, one considers a sequence of protocols \(\{\Pi _k\}_{k \in \mathbb {N}}\)—and security is defined in the limit when \(k \rightarrow \infty \). An implementation of a protocol will however always be finite, e.g., the honest players choose a specific parameter \(k_0\) which they consider to be sufficient and run \(\Pi _{k_0}\). A security proof for \(k \rightarrow \infty \) does not tell us anything about security for any specific parameter \(k_0\) and thus does not tell us anything about the security of \(\Pi _{k_0}\), which is run by the honest players. To resolve this issue, some works consider what is called concrete security [7], i.e., instead of hiding parameters in O-notation, security bounds and reductions are given explicitly. This is a first step at obtaining finite security, but it still considers the security of a sequence \(\{\Pi _k\}_{k \in \mathbb {N}}\) instead of security of the individual elements \(\Pi _{k_0}\) in this sequence. For example, one still considers adversaries that are polynomial in k, simulators that must be efficient in k, and errors that are negligible in k. But the security definition of some \(\Pi _{k_0}\) should not depend on any other elements in the sequence, on how the sequence is defined or whether it is defined at all. Hence notions such as poly-time, efficiency, or negligibility should not be part of a security definition for some specific \(\Pi _{k_0}\). We call the security paradigm that analyzes individual elements \(\Pi _{k_0}\) finite security, and show in this work how to define it for computational security of quantum message transmission.

1.2 Overview of Results

Our contributions are threefold. We first provide definitions for encryption and authentication of quantum messages that satisfy the desideratum expressed above. In particular, we show how to define finite security in the computational case. In Sect. 1.3 below we explain the intuition behind this security paradigm.

We then show that (slightly modified) protocols from the literature [1, 2] satisfy these definitions. These protocols use the quantum one-time pad and quantum information-theoretic authentication as subroutine [6, 36], but run them with keys that are only computationally secure to encrypt multiple messages. We explain the constructions and what is achieved in more detail in Sect. 1.4.

Now that we have security definitions that satisfy our desideratum, we revisit some game-based definitions from the literature, and compare them to our own notions of security. An overview of these results is given in Sect. 1.5.

1.3 Finite Computational Security

In traditional asymptotic security, a cryptographic protocol is parameterized by a single value \(k \in \mathbb {N}\)—any other parameters must be expressed as a function of k—and one studies a sequence of objects \(\{\Pi _k\}_{k \in \mathbb {N}}\). In composable security, one uses this to define a parameterized real world \(\mathbb {R}= \{\textsf {R}_k\}_{k \in \mathbb {N}}\) and ideal world \(\mathbb {S}= \{\textsf {S}_k\}_{k \in \mathbb {N}}\), and argues that no polynomial distinguisher \(\mathbb {D}= \{\textsf {D}_k\}_{k \in \mathbb {N}}\) can distinguish one from the other with non-negligible advantage. At first glance the notions of polynomial distinguishers and negligible functions might seem essential, because an unbounded distinguisher can obviously distinguish the two, and without a notion of negligibility, how can one define what is a satisfactory bound on the distinguishability.

The latter problem is the simpler to address: instead of categorizing distinguishability as black or white (negligible or not), we give explicit bounds. The former issue is resolved by observing that we never actually prove that the real and ideal world are indistinguishable (except in the case of information-theoretic security), since in most cases that would amount to solving a problem such as \(\textsf {P} \ne \textsf {NP}\). What one actually proves is a reduction, which is a finite statement, not an asymptotic one. More precisely, one proves that if \(\textsf {D}_k\) can distinguish \(\textsf {R}_k\) from \(\textsf {S}_k\) with advantage \(p_k\), then some (explicit) \(\textsf {D}'_k\) can solve some problem \(W_k\) with probability \(p'_k\)—if one believes that \(W_k\) is asymptotically hard to solve, then this implies that \(\mathbb {D}\) cannot distinguish \(\mathbb {R}\) from \(\mathbb {S}\).

A finite security statement stops after the reduction. We prove that for any \(k_0\) and any \(\textsf {D}_{k_0}\),

$$\begin{aligned} d^{\textsf {D}_{k_0}}(\textsf {R}_{k_0}, \textsf {S}_{k_0}) \le f(\textsf {D}_{k_0}), \end{aligned}$$
(1)

where \(d^{\textsf {D}_{k_0}}(\cdot ,\cdot )\) denotes the advantage \(\textsf {D}_{k_0}\) has in distinguishing two given systems, and \(f(\cdot )\) is some arbitrary function, e.g., the probability that \(\textsf {D}'_{k_0}\) (which is itself some function of \(\textsf {D}_{k_0}\)) can solve some problem \(W_{k_0}\).

Equation 1 does not require systems to be part of a sequence with a single security parameter \(k \in \mathbb {N}\). There may be no security parameter at all, or multiple parameters. Information-theoretic security corresponds to the special case where one can prove that \(f(\textsf {D}_{k_0})\) is small for all \(\textsf {D}_{k_0}\).

1.4 Constructing Quantum Channels

As mentioned in Sect. 1.1, we use the Abstract and Constructive Cryptography (AC) framework of Maurer and Renner [28, 30, 31] in this work. To define the security of a message transmission protocol, we need to first define the type of channel we wish to achieve—for simplicity, we always consider channels going from Alice to Bob.

The strongest channel we construct in this work is an ordered secure quantum channel, \(\mathsf{OSC}\), which allows Eve to decide which messages that Alice sent will be delivered to Bob and which ones get discarded. But it does not reveal any information about the messages (except their size and number) to Eve and guarantees that the delivered messages arrive in the same order in which they were sent. A somewhat weaker channel, a secure channel \(\mathsf{SC}\), also allows Eve to block or deliver each message, but additionally allows her to jumble their order of arrival at Bob’s.

Our first result shows that a modified version of a protocol from [2] constructs the strongest channel, \(\mathsf{OSC}\), from an insecure channel and a short key that is used to select a function from a pseudo-random family (PRF). Security holds for any distinguisher that cannot distinguish the output of the PRF from the output of a uniform function. We also show how one can construct \(\mathsf{OSC}\) from \(\mathsf{SC}\) by simply appending a counter to the messages.

The two channels described above are labeled “secure”, because they are both confidential (Eve does not learn anything about the messages) and authentic (Eve cannot change or insert any messages). If we are willing to sacrifice authenticity, we can define weaker channels that allow Eve to modify or insert messages in specific ways. We define a non-malleable confidential channel, \(\mathsf{NMCC}\)—which does not allow Eve to change a message sent by Alice, but does allow her to insert a message of her choice—and a Pauli-malleable channel, \(\mathsf{PMCC}\)—which allows Eve to apply bit and phase flips to Alice’s messages or insert a fully mixed state.

Our second construction modifies a protocol from [1] to construct \(\mathsf{PMCC}\) from an insecure channel and a short key that is used to select a function from a pseudo-random family (PRF). Here too, security holds for any distinguisher that cannot distinguish the PRF from uniform.

1.5 Comparison to Game-Based Definitions

In the last part of this work, we relate existing game-based security definitions for quantum encryption with our new proposed security definitions phrased in constructive cryptography. More concretely, we focus on the notions of quantum ciphertext indistinguishability under adaptive chosen-ciphertext attack (\(\mathsf{QCCA2}\)) and quantum authenticated encryption (\(\mathsf{QAE}\)), both introduced in [2].

We first note that encryption schemes are defined to be stateless in [1, 2, 11] and the proposed game-based definitions are tailored to such schemes. The restricted class of encryption protocols analyzed can thus not construct ordered channels, because the players need to remember tags numbering the messages to be able to preserve this ordering. The strongest notion of encryption from these works, namely \(\mathsf{QAE}\), is thus closest to constructing a \(\mathsf{SC}\). In fact, we show that \(\mathsf{QAE}\) is strictly stronger than constructing a \(\mathsf{SC}\): a scheme satisfying \(\mathsf{QAE}\) constructs a \(\mathsf{SC}\), however there are (stateless) schemes constructing a \(\mathsf{SC}\) that would be considered insecure by the \(\mathsf{QAE}\) game. These schemes are obtained in the same way as the ones showing that classical \(\mathsf{IND}\text{-}\mathsf{CCA2}\) is unnecessarily strong: one starts with a scheme satisfying \(\mathsf{QAE}\) and appends a bit to the ciphertext, resulting in a new scheme that still constructs a \(\mathsf{SC}\), but is not \(\mathsf{QAE}\)-secure. Our proof shows that \(\mathsf{QAE}\) may be seen as constructing a \(\mathsf{SC}\) with a fixed simulator that is hard-coded in the game. A composable security definition only requires the existence of a simulator, and the separation between the two notions is obtained by considering schemes that can be proven secure using a different simulator than the one hard-coded in the game.

For \(\mathsf{QCCA2}\), we first propose an alternative game-based security notion that captures the same intuition, but which we consider more natural than the one suggested in [2]. In particular, its classical analogue is easily shown to be equivalent to a standard \(\mathsf{IND}\text{-}\mathsf{CCA2}\) notion, whereas the notion put forth in [2], when cast to a classical definition, incurs a concrete constant factor loss when compared to \(\mathsf{IND}\text{-}\mathsf{CCA2}\), and requires a complicated proof of this fact. We then show that for a restricted class of protocols (which includes all the ones for which a security proof is given in previous work), our new game-based notion indeed implies that the protocol constructs a \(\mathsf{NMCC}\). The same separation holds here as well: \(\mathsf{QCCA2}\) definitions are unnecessarily strong, and exclude protocols that naturally construct a \(\mathsf{NMCC}\). Note that in the classical case, the \(\mathsf{IND}\text{-}\textsf {RCCA}\) game [15] that was developed to avoid the problems of \(\mathsf{IND}\text{-}\mathsf{CCA2}\) has been shown to be exactly equivalent to constructing a classical non-malleable confidential channel in the case of large message spaces [17].

1.6 Alternative Security Notions

Common security definitions often capture properties of (encryption) schemes, e.g., let M be a plaintext random variable, let C be the corresponding ciphertext, H is the entropy function, \(M'\) is the received plaintext, and \(\textsf {accept}\) is the event that the message is accepted by the receiver, then

$$\begin{aligned} H(M|C) = H(M) \qquad \text {and} \qquad \Pr \left[ M \ne M' \text { and } \textsf {accept}\right] \le \varepsilon \end{aligned}$$
(2)

are simple notions of confidentiality and authenticity, respectively. But depending on how schemes satisfying these equations are used—e.g., encrypt-then-authenticate or authenticate-then-encrypt—one gets drastically different results.Footnote 3 The equations in (2) may be regarded as crucial security properties of encryption schemes, but before schemes satisfying these may be safely used, one needs to consider the context and prove what is actually achieved by such constructs (in an operational sense).

The same applies to security definitions proposed for quantum key distribution. The accessible informationFootnote 4 and the trace distance criterionFootnote 5 capture different properties of a secret key. If a scheme satisfying the former is used with an insecure quantum channel, then the resulting key could be insecure, but if the channel only allows the adversary to measure and store classical information, then the key has information-theoretic security [25, 38]. A scheme satisfying the latter notion—the trace distance criterion—constructs a secure key even when the quantum channel used is completely insecure [10, 38, 39]. Neither criterion is a satisfactory security definition on its own, they both require a further analysis to prove whether a protocol satisfying them does indeed distribute a secure key. But now that this has been done [10, 38], the trace distance criterion has become a reference for what a quantum key distribution scheme must satisfy [40, 42].

Previous work on computational security of quantum message transmission [1, 2, 11] as well as the new definition of \(\mathsf{QCCA2}\) proposed on this paper may be viewed in the same light. These game-based definitions capture properties of encryption schemes. But before a scheme satisfying these definitions may be safely used, one needs to analyze how the scheme is used and what is achieved by it. The constructive definitions introduced in this work and the reductions from the game-based definitions do exactly this. As a result of this, \(\mathsf{QAE}\) or \(\mathsf{QCCA2}\) may be used as a benchmark for future schemes—though unlike the trace distance criterion, they are only sufficient criteria, not necessary ones.

1.7 Other Related Work

The desideratum expressed in Sect. 1.1 is the fruit of many different lines of research that go back to the late 90’s. We give an incomplete overview of some of this work in this section.

Composable security was introduced independently by Pfitzmann and Waidner [3, 4, 34, 35] and Canetti [12,13,14], who each defined their own framework, dubbed reactive simulatability and universal composability (UC), respectively. Unruh adapted UC to the quantum setting [43], whereas Maurer and Renner’s AC applies to any model of computation, classical or quantum [30]. Quantum UC may however not be used for finite security without substantial modifications, since it hard-codes asymptotic security in the framework: machines are defined by sequences of operators \(\left\{ \mathcal {E}^{(k)}\right\} _{k}\), where \(k \in \mathbb {N}\) is a security parameter, and distinguishability between networks of machines is then defined asymptotically in k.Footnote 6

Concrete security [7] addresses the issues of reductions and parameters being hidden in O-notation by requiring them to be explicit. Theses works consider distinguishing advantages (or game winning probabilities) as a function of the allowed complexity or running time of the distinguisher, and aim at proving as tight statements a possible. In such an approach, one would have to define a precise computational model. This, however, is avoided, meaning that any model in a certain class of meaningful models is considered equivalent. This unavoidably means that the security statements are asymptotic, at least with an unspecified linear or sublinear term. In contrast, the objects we consider, including distinguishers, are discrete systems and are directly composed as such, without need for considering a computational model for implementing the systems.

In the classical case, a model of discrete systems that may be used for finite security is random systems [27, 29]. Generalizations to the quantum case have been proposed by Gutoski and Watrous [19, 20]—and called quantum strategies—by Chiribella, D’Ariano and Perinotti [16]—called quantum combs—and by Hardy [21,22,23]—operator tensors. A model for discrete quantum systems that can additionally model time and superpositions of causal structures is the causal boxes framework [37].

None of the previous works on computational security of quantum message transmission satisfy any of the three criteria outlined in Sect. 1.1. These criteria are however standard by now for quantum key distribution [38, 42]. In the classical case, they have also been used for computational security, e.g., [17, 32].

1.8 Structure of This Paper

In Sect. 2 we introduce the elements needed from AC [28, 30, 31], and from the discrete system model with which we instantiate AC, namely quantum combs [16]. This allows us to define the notion of a finite construction of a resource (e.g., a secure channel) from another resource (e.g., an insecure channel and a key). In Sect. 3 we first define the channels and other resources needed in this work. Then we give protocols and prove that they construct various confidential and secure channels, as outlined in Sect. 1.4. Finally, in Sect. 4 we compare our security definitions to some game-based ones from the literature [2] and prove the results described in Sect. 1.5.

2 Abstract and Constructive Cryptography

In this section we give a brief overview of the Abstract and Constructive Cryptography (AC) framework, which is sufficient to understand the main claims of this work. A more extended introduction to AC is provided in the full version [5], which is needed to understand the proofs. We refer to [28, 30, 31, 38] for further reading.

The AC framework views cryptography as a resource theory in which a protocol is a transformation between resources. Players may share certain resources—e.g., secret key, an authentic channel, a public-key infrastructure, common reference strings, etc.—and use these to construct other resources—e.g., an authentic channel, a secure channel, secret key, a bit commitment resource, an idealization of a multipartite function, etc. More abstractly, a protocol \(\pi \) uses some resource \(\textsf {R}\) (the assumed resource) to construct some other resource \(\textsf {S}\) (the constructed resource) within \(\varepsilon \), where \(\varepsilon \) may be thought of as the error of the construction. We denote this

$$\begin{aligned} \textsf {R} \xrightarrow {\pi ,\varepsilon } \textsf {S}.\end{aligned}$$
(3)

A formal definition of Eq. (3) is provided in the full version [5].

Such a security statement is composable, because if \(\pi _1\) constructs \(\textsf {S}\) from \(\textsf {R}\) within \(\varepsilon _1\) and \(\pi _2\) constructs \(\textsf {T}\) from \(\textsf {S}\) within \(\varepsilon _2\), the composition of the two protocols, \(\pi _2\pi _1\), constructs \(\textsf {T}\) from \(\textsf {R}\) within \(\varepsilon _1+\varepsilon _2\), i.e.,

$$\begin{aligned} \left. \begin{aligned}&\textsf {R} \xrightarrow {\pi _1,\varepsilon _1} \textsf {S} \\&\textsf {S} \xrightarrow {\pi _2,\varepsilon _2} \textsf {T} \end{aligned}\right\} \implies \textsf {R} \xrightarrow {\pi _2\pi _1,\varepsilon _1+\varepsilon _2} \textsf {T}. \end{aligned}$$
(4)

In this work, resources \(\textsf {R}\), \(\textsf {S}\) or \(\textsf {T}\) are instantiated with a model of quantum interactive systems called quantum strategies [19, 20] or quantum combs [16] in the literature. We use the term interface to denote the inputs and outputs accessible to a specific player, e.g., most resources considered in this work have 3 interfaces for Alice, Bob and Eve. In the following we often provide pseudo-code describing a resource. However, this always corresponds to a specific quantum strategy/comb. When multiple resources \(\textsf {R}_1,\dotsc ,\textsf {R}_n\) are accessible to players, we write \(\left[ \textsf {R}_1,\dotsc ,\textsf {R}_n\right] \) for the new resource resulting from combining the individual \(\textsf {R}_i\) in parallel. The mathematical meaning of this expression is explained in the full version [5].

We often write a protocol \(\pi = (\pi _A,\pi _B)\) as a tuple, where each element \(\pi _A\) corresponds to the operations of a specific player (e.g., A for Alice), and only interacts at the corresponding interface of the shared resources. Formally, these are functions mapping a resource to another resource. Running several protocols then corresponds to the composition of the functions as in Eq. (4).

Finally, the error of a construction \(\varepsilon \) that appears in Eq. (3) is a function mapping distinguishers to real numbers. In information-theoretic security, one has that \(\varepsilon (\textsf {D})\) is small for all distinguishers \(\textsf {D}\). In computational security this might not be the case, since security does not hold against all adversaries, only efficient ones. More precisely, let \(\textsf {D}[\textsf {R}]\) be the random variable corresponding to the distinguisher’s output when interacting with \(\textsf {R}\). Then the functions

are pseudo-metrics for any set of distinguishers \(\mathcal {D}\). We define the error of a construction using one particular set \(\mathcal {D}\), namely the set of distinguishers obtained from some distinguisher \(\textsf {D}\) by adding or removing converters between \(\textsf {D}\) and the measured resources.Footnote 7 Thus, for any distinguisher \(\textsf {D}\), we define the class

(5)

where \(\Delta ^{\textsf {D}\alpha }(\textsf {R},\textsf {S}) = \Delta ^{\textsf {D}}(\alpha \textsf {R},\alpha \textsf {S})\). Abusing somewhat notation, we often write \(\textsf {D}\) instead of \(\mathcal {B}(\textsf {D})\). In the following, \(d^{\textsf {D}}(\cdot ,\cdot )\) always refers to the pseudo-metric using the class of distinguishers generated from \(\textsf {D}\) as in Eq. (5).

We now formalize the notion of (secure) resource construction in the three party setting, with honest Alice and Bob and dishonest Eve.

Definition 1

(Cryptographic security [30]). Let \(\varepsilon \) be a function from distinguishers to real numbers. We say that a protocol \(\pi _{AB} = (\pi _A,\pi _B)\) constructs a resource \(\mathsf{S}\) from a resource \(\mathsf{R}\) within \(\varepsilon \) if there exists a converter \(\mathsf{sim}_E\) (called a simulator) such that for all \(\mathsf{D}\),

$$\begin{aligned} d^{\mathsf{D}}(\pi _{AB} \mathsf{R},\mathsf{sim}_E \mathsf{S}) \le \varepsilon (\mathsf{D}). \end{aligned}$$

If this holds, then we write

$$\begin{aligned} \mathsf{R} \xrightarrow {\pi ,\varepsilon } \mathsf{S}. \end{aligned}$$

When the resources \(\mathsf{R},\mathsf{S}\) are clear from the context, we say that \(\pi \) is \(\varepsilon \)-secure.

\(\pi _{AB} \textsf {R}\) is often referred to as the real system, and \(\mathsf{sim}_E \textsf {S}\) as the ideal one. We emphasis that an ideal (or constructed) resource \(\textsf {S}\) will be used as the real (or assumed) resource in the next construction, so the terms real and ideal are relative. The details may be found in the full version [5].

3 Constructing Quantum Cryptographic Channels

In Sect. 3.1 we introduce the notations for Pauli operators and Bell basis. In Sects. 3.2 and 3.3 we formalize the resources used in our constructions. Then, starting from the insecure quantum channel \(\mathsf{IC}\), a shared secret key \(\mathsf{KEY}\) and local pseudo random function \(\mathsf{PRF}\), we show how to construct (1) the ordered secure quantum channel \(\mathsf{OSC}\) in Sect. 3.4 and (2) the Pauli-malleable confidential quantum channel \(\mathsf{PMCC}\) in Sect. 3.5. A construction of the ordered secure quantum channel \(\mathsf{OSC}\) from one which is secure but not ordered (\(\mathsf{SC}\)) is also presented in the full version [5].

3.1 Quantum Operators and States

Pauli Operators. We write \(P_k\) or \(P_{x,z}\) to denote a Pauli operator on m qubits, where \(k =(x,z)\) are concatenation of two m-bits strings indicating in which qubit bit flips and phase flips occur.

$$\begin{aligned} P_k = P_{x,z} = \bigotimes _{i=1}^m P_{x_iz_i}, \qquad \text {where} \quad P_{ab} = {\left\{ \begin{array}{ll} I &{} a=0, b=0,\\ X&{} a=1, b=0,\\ Z&{} a=0, b=1,\\ XZ&{} a=1, b=1.\\ \end{array}\right. } \end{aligned}$$

Note that \(P_k = P_k^{\dagger }\), therefore we simply write \(P_k\rho P_k\) when applying a Pauli-operator \(P_k\) on state \(\rho \). To undo Pauli-operator \(P_k\), we simply apply \(P_k\) again, namely, \(P_kP_k\rho P_kP_k = \rho \).

Bell Basis. We write as the maximum entangled state of 2m qubits, , and as the result of applying \(P_k\) to half of the qubits. Then forms the Bell basis for 2 m qubits.

3.2 Key Resources

A (shared) secret key resource corresponds to a system that provides a key k to the honest players, but nothing to the adversary.

Definition 2

(Symmetric (Classical) Key \(\mathsf{KEY}\)). The resource \(\mathsf{KEY}\) is associated with a probability distribution \(P_K\) for (classical) key space \(\mathcal {K}\). A key \(k \in \mathcal {K}\) is drawn according to \(P_K\) and stored in the resource.

  • Interface \({A}\): On input \(\mathsf{getKey}\), k is output at interface \({A}\).

  • Interface \({B}\): On input \(\mathsf{getKey}\), k is output at interface \({B}\).

  • Interface \({E}\): Inactive.

In the computational setting, instead of sharing a long key, players often share a short key which is used as seed in a local key expansion scheme. On such key expansion scheme which we use in this work is a so-called pseudo random function. It is essentially a family of functions which looks random.

Definition 3

(Pseudo Random Function \(\mathsf{PRF}^{r,\nu ,\mu }\)). The resource \(\mathsf{PRF}^{r,\nu ,\mu }\) is associated to a family of functions and has an internal variable \(\mathsf{seed}\) of length r. The functions in the family have input length \(\nu \) and output length \(\mu \). The resource is local to one party only. Let this party’s interface be labeled \(X\).

  • Interface \(X\):

    • On input \(\mathsf{seed}(s)\), set variable \(\mathsf{seed}\) to s.

    • On input \(\mathsf{input}(x)\), output \(f_\mathsf{seed}(x)\) at interface \(X\).

The above definition of a \(\mathsf{PRF}\) does not contain any criterion for what it means to “look random”. This is defined in a second step as distinguishability from a uniform random function.

Definition 4

(Uniform Random Function \(\mathsf{URF}^{\nu , \mu }\)). The resource \(\mathsf{URF}^{\nu , \mu }\) picks a function f from all functions \(\{0,1\}^{\nu } \rightarrow \{0,1\}^{\mu }\) uniformly at random.

  • Interface \(A\): On input \(\mathsf{input}(x)\), output f(x) at interface \({A}\).

  • Interface \(B\): On input \(\mathsf{input}(x)\), output f(x) at interface \({B}\).

  • Interface \(E\): Inactive.

Let \(\pi ^\mathsf{PRF}\) be the trivial protocol which uses a (short) shared key (from a \(\mathsf{KEY}\) resource) and plugs it as seed in a \(\mathsf{PRF}\) resource, and let \(\varepsilon ^\mathsf{PRF}(\textsf {D})\) be the advantage the distinguisher \(\textsf {D}\) has in distinguishing such a construction from a \(\mathsf{URF}\), i.e., for all \(\textsf {D}\)

$$d^{\textsf {D}}(\pi ^\mathsf{PRF}[\mathsf{KEY}^r, \mathsf{PRF}_A^{r,\nu ,\mu }, \mathsf{PRF}_B^{r,\nu ,\mu }], \mathsf{URF}^{\nu ,\mu }) \le \epsilon ^\mathsf{PRF}(\textsf {D}),$$

where \(d^{\textsf {D}}(\cdot , \cdot )\) is the distinguisher pseudo-metric as defined in Sect. 2. In terms of AC construction, this means that

$$\begin{aligned} \left[ \mathsf{KEY}^r, \mathsf{PRF}_A^{r,\nu ,\mu }, \mathsf{PRF}_B^{r,\nu ,\mu }\right] \xrightarrow {\pi ^{\mathsf{PRF}},\epsilon ^\mathsf{PRF}} \mathsf{URF}^{\nu ,\mu } . \end{aligned}$$
(6)

Concrete constructions of PRFs proven secure in the presence of quantum adversaries may be found in [45].

3.3 Channel Resources

We consider three-party channels in this work: the sending party Alice has access to interface \({A}\), the receiving party Bob to interface \({B}\), and the adversary Eve to interface \({E}\). We model all our channels in the following way: upon an input at interface \({A}\), an output is generated at interface \({E}\), while upon an input at interface \({E}\), an output is generated at interface \({B}\). Moreover, we consider multi-message channels parameterized by \(\ell \), that is, Alice and Eve can provide at most \(\ell \) inputs at their respective interfaces. These inputs can be entangled with each other. We model quantum channels, therefore inputs and outputs to and from the channels’ interfaces are quantum systems. The channels are also parameterized by m, the size of each message in qubits.

In the following we introduce the formal description of the channels considered in this work by specifying the behavior they assume upon inputs at their \({A}\) and \({E}\) interfaces. First, we consider the weakest possible channel, that is, the insecure one, which gives full control to the adversary Eve. Eve receives all the message that Alice inputs to the channel. Bob receives all the messages that Eve inputs to the channel.

Definition 5

(Insecure Quantum Channel \(\mathsf{IC}^{\ell ,m}\) )

  • Interface \({A}\): On receiving an input system in some state \(\rho \), perform an identity map and output the same system at interface \({E}\).

  • Interface \({E}\): On receiving an input system in some state \(\rho '\), perform an identity map and output the same system at interface \({B}\).

Interface \({A}\) and \({E}\) will receive at most \(\ell \) inputs and ignore the rest. The quantum systems input at interface \({A}\) and \({E}\) and output at interface \({B}\) have length m in qubits.

Next, we enhance the insecure channel by providing some form of confidentiality on the states input by Alice. More precisely, we allow Eve to only get a notification that a new message has arrived in interface \({A}\), but still, Eve will retain the capability to modify each input \(\rho ^{A_i}\) (held in register \(A_i\)).

Here, one may consider different ways in which Eve is allowed to modify the messages. The first channel we consider grants Eve the power to insert fully mixed states on the channel, as well as performing Pauli operators (bit flips and phase flips) on Alice’s message and decide when each message gets delivered. This is modeled by keeping registers \(A_i\) for each new input at interface \({A}\), and allowing Eve to input indices specifying which register should be modified and output at interface \({B}\). Along with the index, Eve also inputs a string of length 2 m, indicating on which qubits of the message to apply Pauli operators. If Eve wants a fully mixed state to be output at Bob’s, she inputs \(\bot \) at her interface and the channel generates the corresponding state.

Definition 6

(Pauli-Malleable Confidential Quantum Channel \(\mathsf{PMCC}^{\ell ,m}\)). The channel keeps registers \(A_1, A_2, \dots , A_\ell \), initially set to \(\bot \).

  • Interface \({A}\): Upon receiving the i-th input in some state \(\rho \), this system is stored in register \(A_i\), and \(\mathsf{newMsg}\) is output at interface \({E}\).

  • Interface \({E}\) :

    • On input \((j, k)\in [l] \times \{0,1\}^{2m}\), output system in state \(P_k\rho ^{A_j}P_k\) at interface \({B}\), where \(\rho ^{A_j}\) is the state of the system held in register \(A_j\) and \(P_k\) is the Pauli operator defined by the string k. If the tuple is invalid or \(\rho ^{A_j}\) is \(\bot \), the input is considered as \(\bot \). After the output, the state in register \(A_j\) becomes \(\bot \).

    • On input \(\bot \), output a fully mixed stated \(\frac{1}{2^m}I_{2^m}\) at interface \({B}\).

Interface \({A}\) and \({E}\) will receive at most \(\ell \) inputs and ignore the rest. The quantum systems input at interface \({A}\) and output at interface \({B}\) always have length m in qubits.

Another type of confidential channel we consider is obtained by removing Eve’s capability to modify Alice’s messages, while giving her the ability to inject any system (instead of only systems in the fully mixed state).

Definition 7

(Non-Malleable Confidential Quantum Channel \(\mathsf{NMCC}^{\ell ,m}\)). The channel keeps registers \(A_1, A_2, \dots , A_\ell \), initially set to \(\bot \).

  • Interface \({A}\): Upon receiving the i-th input in some state \(\rho \), this system is stored in register \(A_i\), and \(\mathsf{newMsg}\) is output at interface \({E}\).

  • Interface \({E}\) :

    • On receiving an input system in some state \(\rho '\), perform an identity map and output the same system at interface \({B}\).

    • On input index \(j\in [\ell ]\), output the system in state \(\rho ^{A_j}\) held in register \(A_j\) at interface \({B}\). After the output, the state of register \(A_j\) becomes \(\bot \).

Interface \({A}\) and \({E}\) will receive at most \(\ell \) inputs and ignore the rest. The quantum systems input at interface \({A}\) and output at interface \({B}\) always have length m in qubits.

The next property to consider is authenticity: recall that in the quantum setting, authenticity implies confidentiality, thus it does not make sense to consider a “non-confidential authentic channel”, since a state cannot be cloned to be given to both Bob and Eve. An authentic channel will automatically also be a confidential one [6]. Therefore, as a next channel we directly consider the secure one – by secure we mean both authentic and confidential. Eve only knows a new message has arrived but cannot read, modify, nor inject messages. Eve still has the power to block and reorder Alice’s message.

Definition 8

(Secure Quantum Channel \(\mathsf{SC}^{\ell ,m}\)). The channel keeps registers \(A_1, A_2, \dots , A_\ell \), initially set to \(\bot \).

  • Interface \({A}\): Upon receiving the i-th input in some state \(\rho \), this system is stored in register \(A_i\), and \(\mathsf{newMsg}\) is output at interface \({E}\).

  • Interface \({E}\): On input index \(j\in [\ell ]\), output the system in state \(\rho ^{A_j}\) held in register \(A_j\) at interface \({B}\). After the output, the state in register \(A_j\) becomes \(\bot \).

Interface \({A}\) and \({E}\) will receive at most \(\ell \) inputs and ignore the rest. The quantum systems input at interface \({A}\) and output at interface \({B}\) always have length m in qubits.

Finally, we consider an even stronger version of the secure channel which preserves the order of the transmitted messages. In particular, the adversary now only retains the power to delete messages, but cannot change the order in which they are transmitted. This is enforced by replacing the capability to input indices by the ability of only inputting either \(\mathsf{send}\) or \(\mathsf{skip}\).

Definition 9

(Ordered Secure Quantum Channel \(\mathsf{OSC}^{\ell ,m}\)). The channel keeps registers \(A_1, A_2, \dots , A_\ell \), initially set to \(\bot \).

  • Interface \({A}\): Upon receiving the i-th input in some state \(\rho \), this system is stored in register \(A_i\), and \(\mathsf{newMsg}\) is output at interface \({E}\).

  • Interface \({E}\): On i-th input \(\mathsf{send}\) or \(\mathsf{skip}\): If the input is \(\mathsf{send}\), output the system in state \(\rho ^{A_i}\) held in register \(A_i\) at interface \({B}\). If the input is \(\mathsf{skip}\), then output \(\bot \) at interface \({B}\). After the output, the state in register \(A_i\) becomes \(\bot \).

Interface \({A}\) and \({E}\) will receive at most \(\ell \) inputs and ignore the rest. The quantum systems input at interface \({A}\) and output at interface \({B}\) always have length m in qubits.

3.4 Constructing an Ordered Secure Quantum Channel

As shown in [36], there is a construction of one time secure quantum channel from one time insecure quantum channel resource and a uniform key resource within \(\epsilon ^\mathrm {q\text{-}auth}\), i.e.

$$\left[ \mathsf{IC}^{1,n}, \mathsf{KEY}^{\mu }, \mathsf{QC}^{1,m,n}_A,\mathsf{QC}^{1,m,n}_B\right] \xrightarrow {\pi ^\mathrm {q\text{-}auth}_{AB},\epsilon ^\mathrm {q\text{-}auth}} \left[ \mathsf{SC}^{1,m},\mathsf{QC}^{2,m,n}_E\right] .$$

Here, \(\mathsf{IC}\), \(\mathsf{SC}\) and \(\mathsf{KEY}\) are channel and key resources, as defined above. \(\mathsf{QC}_{A/B/E}\) denote a resource that does quantum computation for Alice, Bob or Eve, and allows them to perform encryption and decryption operations (we informally refer to such resources as quantum computers in the following). These appear in the construction statement since for finite security one makes all computational operations explicit—see the full version [5] for more details.

We denote the encoding and decoding CPTP maps in this construction by \(\mathsf{enc}^\mathrm {q\text{-}auth}:\mathcal {K}\times \mathcal {L}(\mathcal {H}_A) \rightarrow \mathcal {L}(\mathcal {H}_C)\) and \(\mathsf{dec}^\mathrm {q\text{-}auth}:\mathcal {K}\times \mathcal {L}(\mathcal {H}_{\tilde{C}}) \rightarrow \mathcal {L}(\mathcal {H}_B \oplus {|\bot \rangle \!\langle \bot |})\). We also denote by \(\mathcal {E}\) the CPTP map that always discards the state and replaces it with error state \({|\bot \rangle \!\langle \bot |}\). In this section, we build on top of these encoding and decoding maps to construct a multi-message ordered secure quantum channel from a multi-message insecure quantum channel, with a shared uniform random function resource \(\mathsf{URF}^{\log \ell ,\mu }\). The real system is drawn in Fig. 2 and the components are described in Fig. 1.

Fig. 1.
figure 1

Converters and computing resources to construct \(\mathsf{OSC}^{\ell ,m}\) from \(\mathsf{IC}^{\ell ,n+\log \ell }\). \(\mathsf{QC}^{\ell , m, n+\log \ell }_A\) and \(\mathsf{QC}^{\ell , m, n+\log \ell }_B\) will be queried \(\ell \) times. The plaintext has length m and the ciphertext has length \(n + \log \ell \). \(\mathsf{URF}^{\log \ell , \mu }\) has input length \(\log \ell \) and output length \(\mu \).

Full size image
Fig. 2.
figure 2

The real system consisting of the shared resources \(\mathsf{IC}^{\ell ,n+\log \ell }\) and \(\mathsf{URF}^{\log \ell ,\mu }\), Alice and Bob’s computing resources \(\mathsf{QC}^{\ell ,m,n+\log \ell }_A \) \(\mathsf{QC}^{\ell ,m,n+\log \ell }_B\), and the protocol converters \(\pi _A\) and \(\pi _B\).

Full size image

Theorem 1

Let \(\pi _{AB}=(\pi _A, \pi _B), \mathsf{QC}^{\ell , m, n+\log \ell }_A ,\mathsf{QC}^{\ell , m, n+\log \ell }_B\) and \(\mathsf{URF}^{\log \ell ,\mu }\) denote converters and computing resources as described in Fig. 1, corresponding to Alice and Bob both applying the following CPTP maps with increasing index i:

$$\Lambda _i^{A \rightarrow CT}(\cdot ) = \mathsf{enc}^\mathrm {q\text{-}auth}_{k_i}(\cdot ) \otimes {|i\rangle \!\langle i|}^T$$

where \(\bar{P}_i = I-{|i\rangle \!\langle i|}\), and \(k_i\) is the output of \(\mathsf{URF}^{\log \ell ,\mu }\) with input i. Let \(\mathsf{QC}_E^{2\ell , m, n+\log \ell }\) be the computing resource of Eve capable of doing \(\ell \) encryption operations and \(\ell \) decryption operations. Let \(\epsilon ^\mathrm {q\text{-}auth}\) be the upper bound on the distinguishing advantage of the one time secure quantum channel construction. Then,

figure a

Proof

The proof of Theorem 1 appears in the full version [5].

Remark 1

Theorem 1 is meaningful only if the protocol is also correct, i.e., if the distinguisher always puts back the same ciphertext on the insecure channel in the right order, then Bob always successfully decrypts. This follows trivially from the correctness of the underlying quantum authentication protocol, so we omit a formal discussion of it.

Suppose now that one has a \(\mathsf{PRF}\) resource and a bound \(\epsilon ^\mathsf{PRF}\) satisfying Eq. (6), that is, indistinguishable from \(\mathsf{URF}\) within \(\epsilon ^\mathsf{PRF}\), the following corollary follows trivially from the composition theorem.

Corollary 1

figure b

where \(\pi '_{AB} =(\pi _{AB}, \pi ^{\mathsf{PRF}}), \epsilon (\mathsf{D}) = \epsilon ^\mathsf{PRF}(\mathsf{DC})+\ell \epsilon ^{\mathrm {q\text{-}auth}}\) and \(\mathsf{C}\) is the system including \( \pi _{AB}, \mathsf{IC}^{\ell ,n+\log \ell }, \mathsf{QC}^{\ell ,m,n+log\ell }_A, \mathsf{QC}^{\ell ,m,n+log\ell }_B\).

3.5 Constructing a Pauli-Malleable Confidential Quantum Channel

In this section, we construct a Pauli-malleable confidential quantum channel \(\mathsf{PMCC}^{\ell ,m}\) from an insecure quantum channel \(\mathsf{IC}^{\ell ,m+\nu }\). In the Pauli-malleable confidential channel, the adversary can only get a notification of a new message arriving but has no access to the message. The adversary has the ability to block, reorder and modify the message via Pauli operators (bit flip and phase flip), as well as ask the channel to output a fully mixed state at Bob’s interface, as defined in Definition 6.

Now we present the protocol in the multi-message case, described in Fig. 3. In the protocol, Alice’s computer will generate a new random string x of length \(\nu \) for each message different from previous random strings and input it to \(\mathsf{URF}^{\nu ,2m}\), a key k is returned by \(\mathsf{URF}^{\nu ,2m}\) , the Pauli-operator \(P_k\) is applied to the message and x is appended to the ciphertext. Bob’s computer will do the measurement on the last \(\nu \) qubits to get \(\tilde{x}\), which is input to \(\mathsf{URF}^{\nu ,2m}\), from which \(\tilde{k}\) is obtained and finally the Pauli operator \(P_{\tilde{k}}\) is applied to the ciphertext. The real system is drawn in Fig. 4.

Fig. 3.
figure 3

Converters and computer resources to construct \(\mathsf{PMCC}^{\ell ,m}\) from \(\mathsf{IC}^{\ell ,m+\nu }\). \(\mathsf{QC}^{\ell , m, m+\nu }_A\) and \(\mathsf{QC}^{\ell , m, m+\nu }_B\) will be queried \(\ell \) times. The plaintext has length m and ciphertext has length \(m+\nu \). \(\mathsf{URF}^{\nu , 2m}\) has input length \(\nu \) and output length 2m.

Full size image
Fig. 4.
figure 4

The real system consisting of shared resources \(\mathsf{IC}^{\ell ,m+\nu }\) and \(\mathsf{URF}^{\nu ,2m}\), Alice and Bob’s computing resources \(\mathsf{QC}^{\ell , m, m+\nu }_A\) and \(\mathsf{QC}^{\ell , m, m+\nu }_B\), and the protocol converters \(\pi _A\) and \(\pi _B\).

Full size image

Theorem 2

Let \(\pi _{AB}=(\pi _A, \pi _B), \mathsf{QC}^{\ell , m, m+\nu }_A\) and \(\mathsf{QC}^{\ell , m, m+\nu }_B\) denote converters and computing resources, described in Fig. 3, corresponding to Alice and Bob applying the following CPTP maps,

where \(k_x\) is the output of \(\mathsf{URF}^{\nu ,2m}\) with input x. Let \(\mathsf{QC}_E^{2\ell , m, m+\nu }\) be the computing resource of Eve capable of doing \(\ell \) encryption operations and \(\ell \) decryption operations. Then \(\pi _{AB}\) constructs a Pauli-malleable confidential quantum channel \(\mathsf{PMCC}^{\ell , m}\) from an insecure quantum channel resource \(\mathsf{IC}^{\ell ,m+\nu }\), a shared uniform random function resource \(\mathsf{URF}^{\nu , 2m}\) within \(\ell ^2 \cdot 2^{-\nu } \), i.e.,

figure c

Proof

The proof of Theorem 2 appears in the full version [5].

Remark 2

The protocol given in Theorem 2 also has to satisfy correctness, i.e., when the distinguisher always puts back the same state Bob should decrypt correctly. One can easily see that this holds, since in the real world, the state will be flipped on Alice’s side and be flipped back on Bob side, thus the distinguisher will get the same state back at interface \({B}\).

Suppose now that one has a \(\mathsf{PRF}\) resource and a bound \(\epsilon ^\mathsf{PRF}\) satisfying Eq. (6), that is, indistinguishable from \(\mathsf{URF}\) within \(\epsilon ^\mathsf{PRF}\), the following corollary follows trivially from the composition theorem.

Corollary 2

figure d

where \(\pi '_{AB} =(\pi _{AB}, \pi ^{\mathsf{PRF}}), \epsilon (\mathsf{D}) = \epsilon ^\mathsf{PRF}(\mathsf{DC})+\ell ^2 2^{-\nu }\) and \(\mathsf{C}\) is the system including \( \pi _{AB}, \mathsf{IC}^{\ell ,m+\nu }, \mathsf{QC}^{\ell ,m,m+\nu }_A, \mathsf{QC}^{\ell ,m,m+\nu }_B\).

4 Relations to Game-Based Security Definitions

In this section we explore the relations between our constructive security definitions and two game based security definitions for (specific protocols making use of) symmetric quantum encryption schemes, both introduced in [2]. The two notions we consider are those of quantum ciphertexts indistinguishability under adaptive chosen-ciphertext attack (\(\textsf {AGM}\text{-}\mathsf{QCCA2}\)) and quantum authenticated encryption (\(\mathsf{QAE}\)). Both definitions are inspired by classical security notions which intrinsically require the ability to copy data, which in [2] were successfully translated into quantum analogue by circumventing the no-cloning theorem.

We will first show that \(\mathsf{QAE}\) security exactly implies the constructive cryptography security notion of constructing a secure channel from an insecure one and a shared secret key, which we call \(\textsf {CC\text{-}QSEC}\) (but is actually stronger, and thus we also show a separation). Secondly, we will relate the \(\textsf {AGM}\text{-}\mathsf{QCCA2}\) security definition to the constructive cryptography security notion of constructing a confidential channel from an insecure one and a shared secret key, which we call \(\textsf {CC\text{-}QCNF}\), but the implication will be less direct. In fact, we introduce two new (intermediate) game-based security definitions, \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) and \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\), and show that:

  1. 1.

    The classical versions of \(\textsf {AGM}\text{-}\mathsf{QCCA2}\) and \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) are asymptotically equivalent;

  2. 2.

    For a restricted class of schemes, \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) implies \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) (they are actually equivalent);

  3. 3.

    \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) implies \(\textsf {CC\text{-}QCNF}\) (but is actually stronger).

We leave open the question whether it is possible to generalize (2.) to general schemes. Throughout this section we will assume that both the plaintext and the ciphertext spaces comprise elements of the same length, an thus ignore the corresponding superscripts for channels and quantum computers.

4.1 Background and Notation

In [6], a characterization of any symmetric quantum encryption schemes (SQES) was given, which states that encryption works by attaching some (possibly) key-dependent auxiliary state, and applying a unitary operator, and decryption undoes the unitary, and then checks whether the support of the state in the auxiliary register has changed. Thus, as pointed out in [2], for key-generation function \(\mathtt {Gen}\) (inducing a probability distribution over some key-space \(\mathcal {K}\)), encryption function \(\mathtt {Enc}\), and decryption function \(\mathtt {Dec}\), we can characterize a SQES as follows.

Lemma 1

([2, Corollary 1]). Let \(\mathfrak {S}=(\mathtt {Gen},\mathtt {Enc},\mathtt {Dec})\) be a SQES. Then for every \(k\in \mathcal {K}\) there exists a probability distribution \(p_k:\mathcal R\rightarrow [0,1]\) and a family of quantum states , with , such that:

  • , where r is sampled according to \(p_k\);

  • ;

where \(P_{\omega _k}^{T}\) and \(\bar{P}_{\omega _k}^{T}\) are the orthogonal projectors onto the support of

For a SQES \(\mathfrak {S}\), we define a security notion \(\textsf {XXX}\) in terms of the advantage \(\mathbf {Adv}^{\mathrm {xxx}}_{\mathfrak {S},\textsf {D}}\) of a distinguisher \(\textsf {D}\) in solving some (usually distinction) problem involving \(\mathfrak {S}\). In the asymptotic setting, security of \(\mathfrak {S}\) according to notion \(\textsf {XXX}\) should be interpreted as \(\mathbf {Adv}^{\mathrm {xxx}}_{\mathfrak {S},\textsf {D}}\) being negligible for every \(\textsf {D}\) from some class \(\mathbb {D}\) of distinguishers (usually, efficient distinguishers). Following the finite security approach, here we are just interested in relating advantages of different notions, making use of black-box reductions. Therefore, for a second notion \(\textsf {YYY}\), we say that \(\textsf {XXX}\) (security) implies \(\textsf {YYY}\) (security) if and only if \(\mathbf {Adv}^{\mathrm {yyy}}_{\mathfrak {S},\textsf {D}}\le c\cdot \mathbf {Adv}^{\mathrm {xxx}}_{\mathfrak {S},\textsf {D}\textsf {C}}\), for some \(c\ge 1\), where \(\textsf {C}\) denotes the black-box reduction that uses the distinguisher \(\textsf {D}\) for \(\textsf {YYY}\) to make a new distinguisher \(\textsf {D}\textsf {C}\) for \(\textsf {XXX}\).

When describing experiments involving interaction between a distinguisherFootnote 8 \(\textsf {D}\) and a game system \(\textsf {G}\), we use pseudo-code from \(\textsf {G}\)’s perspective, that is, the \(\mathbf{return}\) statement indicates what is output by the latter. Note that this implies that for distinction problems we always make the game system output the bit output by the distinguisher. In this case we use the expression \(\textsf {D}[\textsf {G}]\) to denote the bit output by \(\textsf {D}\) after interacting with \(\textsf {G}\). On the other hand, if the output bit is decided by \(\textsf {G}\) (as is the case for the \(\textsf {AGM}\text{-}\mathsf{QCCA2}\) definition, which is not a distinction problem), we use the expression \(\textsf {G}[\textsf {D}]\). Moreover, we use both expressions not only for the returned value, but also for denoting the whole random experiments. When specifying that a distinguisher \(\textsf {D}\) has access to a list of oracles, e.g. \(\mathbf{O}_1(\cdot )\) and \(\mathbf{O}_2(\cdot )\), we write \(x\leftarrow \textsf {D}^{\mathbf{O}_1(\cdot ),\mathbf{O}_2(\cdot )}\), where the variable x holds the value output by \(\textsf {D}\) after the interaction with the oracles. We denote the application of a two-outcome projective measurement, e.g. , as , where \(b\in \{0,1\}\) is the result of the measurement (we associate 0 to the the first outcome and 1 to the second). The state is the EPR pair (one of the Bell state), to which we associate the two-outcome projective measurement . Furthermore, by we mean that the EPR pair has been prepared on registers XY, and we use \(\tau ^{X}\) as a shorthand for the reduced state in register X, that is, half of a maximally-entangled state.

4.2 Relating \(\mathsf{QAE}\) and \(\textsf {CC\text{-}QSEC}\)

In this section we first present the quantum authenticated encryption security definition introduced in [2], and then show that it directly implies our constructive security notion \(\textsf {CC\text{-}QSEC}\) of constructing a secure channel from an insecure one and a shared secret key.

\({\mathbf {\mathsf{{QAE}}}}\) Security Definition ([2]). We begin by restating what it means for a SQES \(\mathfrak {S}\) to be secure in the \(\mathsf{QAE}\) sense according to [2]. On a high level, a distinguisher \(\textsf {D}\) must not be able to distinguish between two scenarios: in the first (the real one), it has access to regular encryption and decryption oracles, whereas in the second (the ideal one), it has access to an encryption oracle which replaces its queried plaintexts by random ones (half of a maximally-entangled state), and a decryption oracle that normally decrypts ciphertext not returned by the encryption oracle, but answers with the originally queried plaintexts otherwise (thus not really performing correct decryption). Note that this security notion, as shown in [2], when phrased classically is equivalent to the canonical notion of authenticated encryption (dubbed \(\mathsf{IND}\text{-}\mathsf{CCA3}\) by Shrimpton in [41]). The only difference with the latter, is that the decryption oracle returns \(\bot \) when queried on ciphertexts previously returned by the encryption oracle. But crucially, this detail is what would not make it possible to adapt \(\mathsf{IND}\text{-}\mathsf{CCA3}\) into a quantum definition: returning \(\bot \) would require the game to copy data (store the ciphertexts returned by the encryption oracle, and then compare them to each query to the decryption oracle), which is not allowed in general in the quantum world. Nevertheless, the formulation of \(\mathsf{QAE}\) introduced in [2] works quantumly because, intuitively, “it is possible to compare random states generated as half of a maximally-entangled state”: the trick consists of first ignoring (but storing) each plaintext submitted by the adversary to the encryption oracle, and then, for each plaintext, prepare an EPR pair , encrypt just half of it, and store the other half (as well as the involved randomness) together with the original plaintext submitted by the distinguisher; then the decryption oracle normally decrypts each ciphertext, and subsequently applies a projective measurement on the support of to the obtained plaintext against each stored half, and the associated original plaintext can thus be easily retrieved. We now restate the definition from [2] (Definition 10 therein), adapted to our notation, and in the concrete setting (as opposed to the asymptotic one).

Definition 10

(\(\mathsf{QAE}\) Security [2]). For SQES (implicit in all defined systems) we define the \(\mathsf{QAE}\)-advantage of \(\mathfrak {S}\) for distinguisher \(\mathsf{D}\) as

where the interactions of \(\mathsf{D}\) with game systems \(\mathsf{G}^\mathrm {qae\text{-}real}\) and \(\mathsf{G}^\mathrm {qae\text{-}ideal}\) are defined in Fig. 5.

Fig. 5.
figure 5

\(\mathsf{QAE}\) security games \(\textsf {G}^\mathrm {qae\text{-}real}\) (left) and \(\textsf {G}^\mathrm {qae\text{-}ideal}\) (right).

Full size image

\({\mathbf {\mathsf{{QAE}}}}\) Implies \({\mathbf {\mathsf{{QSEC}}}}\). Here we denote by \(\textsf {G}^{\mathrm {qae\text{-}real},\ell }\) and \(\textsf {G}^{\mathrm {qae\text{-}ideal},\ell }\) the games \(\textsf {G}^{\mathrm {qae\text{-}real}}\) and \(\textsf {G}^{\mathrm {qae\text{-}ideal}}\) where the distinguisher is allowed to make at most \(\ell \) queries to each oracle (and analogously for \(\mathbf {Adv}^{\mathrm {qae},\ell }_{\mathfrak {S},\textsf {D}}\)).

Fig. 6.
figure 6

Encryption and decryption protocols.

Full size image
Fig. 7.
figure 7

\(\mathsf{QAE}\) (until the dashed line) and \(\mathsf{QCCA2}\) (until the end) simulators.

Full size image

Theorem 3

Let be a SQES (implicit in all defined systems). Then with protocol \(\pi ^\mathrm {q\text{-}enc}_{AB}=(\pi ^\mathrm {q\text{-}enc}_A,\pi ^\mathrm {q\text{-}enc}_B)\) making use of quantum computers \(\mathsf{QC}^\ell _A\) and \(\mathsf{QC}^\ell _B\) as defined in Fig. 6, simulator \(\mathsf{sim}^\mathrm {qae}_E\) making use of quantum computer \(\mathsf{QC}^\ell _E\) as defined in Fig. 7 (until the dashed line), and (trivial) reduction system \(\mathsf{C}\) as specified in the proof, for any distinguisher \(\mathsf{D}\) we have

$$\begin{aligned} \Delta ^{\mathsf{D}}(\pi ^\mathrm {q\text{-}enc}_{AB}\,[\mathsf{KEY},\mathsf{IC}^\ell ,\mathsf{QC}^\ell _A,\mathsf{QC}^\ell _B],\mathsf{sim}^\mathrm {qae}_E\,[\mathsf{SC}^\ell ,\mathsf{QC}^\ell _E])\le \mathbf {Adv}^{\mathrm {qae},\ell }_{\mathfrak {S},\mathsf{DC}}. \end{aligned}$$

Proof

The proof of Theorem 3 appears in the full version [5].

Corollary 3

With \(\varepsilon (\mathsf{D}):=\sup _{\mathsf{D}'\in \mathcal B(\mathsf{D})}\mathbf {Adv}^{\mathrm {qae},\ell }_{\mathfrak {S},\mathsf{D}'}\), we have

$$\begin{aligned} \left[ \mathsf{KEY},\mathsf{IC}^\ell ,\mathsf{QC}^\ell _A,\mathsf{QC}^\ell _B\right] \xrightarrow {\pi ^{\mathrm {q\text{-}enc}}_{AB},\varepsilon } \left[ \mathsf{SC}^\ell ,\mathsf{QC}^\ell _E\right] , \end{aligned}$$

where the class \(\mathcal B(\mathsf{D})\) is defined in Eq. (5).

\({\mathbf {\mathsf{{QAE}}}}\) is Stronger than \({\mathbf {\mathsf{{QSEC}}}}\). We remark that even though \(\mathsf{QAE}\) implies \(\textsf {CC\text{-}QSEC}\), the converse is not true. In particular, we find that \(\mathsf{QAE}\) is an (unnecessarily) stronger notion than \(\textsf {CC\text{-}QSEC}\). We can in fact show that there are SQESs that satisfy \(\textsf {CC\text{-}QSEC}\), but not \(\mathsf{QAE}\). Following [15], in order to show this fact it suffices to take any SQES \(\mathfrak {S}\) which is \(\mathsf{QAE}\) secure, and slightly modify it into a new SQES \(\mathfrak {S}'\) so that a classical 0-bit is appended to every encryption, which is then ignored upon decryption. Now an adversary can flip the bit of a ciphertext that it got from the encryption oracle, and then query the decryption oracle on the new ciphertext: in the real setting it will get back the original message, while in the ideal setting it will get back \({|\bot \rangle \!\langle \bot |}\), and can thus perfectly distinguish between the two, hence \(\mathfrak {S}'\) cannot be \(\mathsf{QAE}\) secure. On the other hand, \(\mathfrak {S}'\) is still \(\textsf {CC\text{-}QSEC}\) secure because it can still be used to achieve the construction of a secure channel from an insecure one and a shared secret key. This is possible by using a simulator which works essentially as \(\mathsf{sim}_E^{\mathrm {qae},\ell }\mathsf{QC}_E^\ell \) from Fig. 7, but which ignores the bit.

4.3 Relating \(\mathsf{QCCA2}\) and \(\textsf {CC\text{-}QCNF}\)

The goal of this section is to present and relate several \(\mathsf{QCCA2}\) security definitions. We begin by introducing a new definition, \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) (where \(\textsf {RRC}\) stands for “real-or-random challenge”), which is similar to \(\textsf {AGM}\text{-}\mathsf{QCCA2}\). Both notions define a challenge phase, and thus we introduce a third variant, \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) (where \(\textsf {RRO}\) stands for “real-or-random oracles”), in which there is no real-or-random challenge, but rather access to real-or-random oracles. Crucially, the latter is identical to \(\mathsf{QAE}\) as introduced by [2], up to a small detail: upon decryption, if the ciphertext was not generated by the encryption oracle, instead of returning \({|\bot \rangle \!\langle \bot |}\), return the decrypted plaintext. Finally, we show that for a restricted class of SQESs, \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) implies \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\), and for any SQESs, \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) implies \(\textsf {CC\text{-}QCNF}\).

\({\mathbf {\mathsf{{RRC-QCCA2}}}}\) Security Definition. We now introduce an alternative game-based security definition that seems more natural than \(\textsf {AGM}\text{-}\mathsf{QCCA2}\). This notion is defined in terms of a distinction problem (as opposed to \(\textsf {AGM}\text{-}\mathsf{QCCA2}\)), and essentially it is analogous to the test setting of the latter, but where the decryption oracle provided to the distinguisher behaves differently: after the real-or-random challenge phase, upon querying the challenge ciphertext, it will respond with the plaintext originally submitted by the distinguisher, in both the real and ideal settings. Note that this is possible in the ideal setting, because we make use of the same trick as in the fake setting of \(\textsf {AGM}\text{-}\mathsf{QCCA2}\), but we do not just set a flag whenever we detect that the adversary is cheating, but rather return the original message that it submitted as challenge. Since a similar behavior is implemented in the real setting, the adversary must really be able to distinguish between ciphertexts in order to win.

Definition 11

(\(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) Security). For SQES (implicit in all defined systems) we define the \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\)-advantage of \(\mathfrak {S}\) for distinguisher \(\mathsf{D}\) as

where the interactions of \(\mathsf{D}\) with game systems \(\mathsf{G}^{\mathrm {rrc}\text{-}\mathrm {qcca2\text{-}real}}\) and \(\mathsf{G}^{\mathrm {rrc}\text{-}\mathrm {qcca2\text{-}ideal}}\) are defined in Fig. 8.

Fig. 8.
figure 8

\(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) games \(\textsf {G}^{\mathrm {rrc}\text{-}\mathrm {qcca2\text{-}real}}\) (left) and \(\textsf {G}^{\mathrm {rrc}\text{-}\mathrm {qcca2\text{-}ideal}}\) (right).

Full size image

\({\mathbf {\mathsf{{RRO-QCCA2}}}}\) Security Definition. In order to relate the latter definition with a constructive notion of confidentiality, it is helpful to have a game-based security definition which analogously to \(\mathsf{QAE}\) defines a real and an ideal setting (by specifying real-or-random oracles, and in particular, not only a real-or-random challenge). We do this by introducing the notion \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\), which can be seen as a natural extension of \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\).

Definition 12

(\(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) Security). For SQES (implicit in all defined systems) we define the \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\)-advantage of \(\mathfrak {S}\) for distinguisher \(\mathsf{D}\) as

where the interactions of \(\mathsf{D}\) with game systems \(\mathsf{G}^{\mathrm {rro}\text{-}\mathrm {qcca2\text{-}real}}\) and \(\mathsf{G}^{\mathrm {rro}\text{-}\mathrm {qcca2\text{-}ideal}}\) are defined in Fig. 9.

Fig. 9.
figure 9

\(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) games \(\textsf {G}^{\mathrm {rro}\text{-}\mathrm {qcca2\text{-}real}}\) (left) and \(\textsf {G}^{\mathrm {rro}\text{-}\mathrm {qcca2\text{-}ideal}}\) (right).

Full size image

Relating \({\mathbf {\mathsf{{AGM\text{-}QCCA2}}}}\) and \({\mathbf {\mathsf{{RRC\text{-}QCCA2}}}}\). We feel that \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) is a much simpler and more natural definition than \(\textsf {AGM}\text{-}\mathsf{QCCA2}\). In fact, in [2] the authors claim that \(\textsf {AGM}\text{-}\mathsf{QCCA2}\) is a “natural” security definition based on the fact that its classical analogon is shown to be equivalent to (a variation of) the standard classical \(\mathsf{IND}\text{-}\mathsf{CCA2}\) security definition. We claim that our \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) is more natural in the sense that it is formulated as a normal distinction problem (as opposed to \(\textsf {AGM}\text{-}\mathsf{QCCA2}\)), and its classical analogon can be shown to be equivalent to standard classical \(\mathsf{IND}\text{-}\mathsf{CCA2}\) security much more directly (in particular, with no concrete security loss, as opposed to \(\textsf {AGM}\text{-}\mathsf{QCCA2}\), where it is shown that the concrete reduction has a factor 2 security loss).

Similarly as done in [2] for \(\mathsf{QAE}\), whose classical restriction was shown to be equivalent to the common classical notion of authenticated encryption \(\mathsf{IND}\text{-}\mathsf{CCA3}\) from [41], we now show that our \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) security notion, when casted to a classical definition, dubbed \(\mathsf{RRC}\text{-}\mathsf{CCA2}\), is equivalent (in particular, with no loss factors, as opposed to \(\textsf {AGM}\text{-}\mathsf{QCCA2}\)) to a common classical notion of \(\mathsf{IND}\text{-}\mathsf{CCA2}\). The latter definition is the same mentioned in [2], and comprises a real-or-random challenge, but the decryption oracle returns \(\bot \) upon submitting the challenge ciphertext. On the other hand, \(\mathsf{RRC}\text{-}\mathsf{CCA2}\) behaves exactly the same as \(\mathsf{IND}\text{-}\mathsf{CCA2}\), except that it always returns the challenge plaintext as originally submitted by the adversary upon querying the challenge ciphertext, independently from the (real or ideal) setting.

Lemma 2

\(\mathsf{RRC}\text{-}\mathsf{CCA2}\) and \(\mathsf{IND}\text{-}\mathsf{CCA2}\) are equivalent.

Proof

To transform \(\mathsf{RRC}\text{-}\mathsf{CCA2}\) into \(\mathsf{IND}\text{-}\mathsf{CCA2}\), the reduction simply stores the challenge ciphertext \(\hat{c}\), and returns \(\bot \) whenever the decryption oracle is queried upon \(\hat{c}\). To transform \(\mathsf{IND}\text{-}\mathsf{CCA2}\) into \(\mathsf{RRC}\text{-}\mathsf{CCA2}\), the reduction simply stores the challenge plaintext \(\hat{m}\) and the challenge ciphertext \(\hat{c}\), and returns \(\hat{m}\) whenever the decryption oracle is queried upon \(\hat{c}\).

\({\mathbf {\mathsf{{RRC\text{-}QCCA2}}}}\) Implies \({\mathbf {\mathsf{{RRO\text{-}QCCA2}}}}\). As above, here we add as superscript the parameter \(\ell \) to games and advantages to denote that the distinguisher is allowed to make at most \(\ell \) queries to the oracles. Note that we relate \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) and \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) for only the subclass of SQESs which satisfy the following condition.

Condition 1

SQES \(\mathfrak {S}\) is such that the auxiliary state does not depend on the key (but possibly on the randomness), and it appends explicitly the randomness to the ciphertext, that is:

for some unitary \(U_{k,r}\) depending on both the key k and the randomness r.

We remark that this restriction still captures all the explicit protocols considered in [2].

Lemma 3

Let \(\mathfrak {S}\) be a SQES satisfying Condition 1. Then for reduction system \(\mathsf{C}_I\) as specified in the proof, for any distinguisher \(\mathsf{D}\) we have

$$\begin{aligned} \mathbf {Adv}^{\mathrm {rro}\text{-}\mathrm {qcca2},\ell }_{\mathfrak {S},\mathsf{D}}\le \ell \cdot \mathbf {Adv}^{\mathrm {rrc}\text{-}\mathrm {qcca2},\ell -1}_{\mathfrak {S},\mathsf{DC}_I}. \end{aligned}$$

Proof

The proof of Lemma 3 appears in the full version [5].

It is easy to show that the other direction of Lemma 3 also holds (for the same class of SQES), that is, \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) implies \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\). For this, the reduction \(\textsf {C}\) flips a bit \(\tilde{B}\) and uses the \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) security game to emulate the \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) game, resulting in perfect emulation with probability \(\frac{1}{2}\), and perfect unguessability otherwise. Thus, with \(\textsf {D}\textsf {C}\) outputting 1 if and only if \(\textsf {D}\) correctly guesses \(\tilde{B}\), we have \(\mathbf {Adv}^{\mathrm {rrc}\text{-}\mathrm {qcca2},\ell }_{\mathfrak {S},\textsf {D}}\le 2\cdot \mathbf {Adv}^{\mathrm {rro}\text{-}\mathrm {qcca2},\ell -1}_{\mathfrak {S},\textsf {D}\textsf {C}}\), and therefore the two notions are asymptotically equivalent, as we formalize in the following lemma.

Lemma 4

For SQES satisfying Condition 1, \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) and \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) are asymptotically equivalent.

Just as we casted \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) into the classical definition \(\mathsf{RRC}\text{-}\mathsf{CCA2}\), we can cast \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) into \(\mathsf{RRO}\text{-}\mathsf{CCA2}\). Then it is possible to obtain analogous results as above for the classical notions (without restrictions on the (classical) encryption scheme).

Corollary 4

\(\mathsf{RRC}\text{-}\mathsf{CCA2}\) and \(\mathsf{RRO}\text{-}\mathsf{CCA2}\) are asymptotically equivalent.

\({{\mathbf {\mathsf{{RRO\text{-}QCCA2}}}}}\) Implies \({{\mathbf {\mathsf{{CC\text{-}QCNF}}}}}\). We can now finally relate \(\mathsf{QCCA2}\) game-based security definitions to the constructive cryptography notion of confidentiality, \(\textsf {CC\text{-}QCNF}\). We do that by showing that \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) security implies \(\textsf {CC\text{-}QCNF}\), and therefore, by Lemma 3, so does \(\mathsf{RRC}\text{-}\mathsf{QCCA2}\) (with concrete security loss factor \(\ell \)).

Theorem 4

Let be a SQES (implicit in all defined systems). Then with protocol \(\pi ^\mathrm {q\text{-}enc}_{AB}=(\pi ^\mathrm {q\text{-}enc}_A,\pi ^\mathrm {q\text{-}enc}_B)\) making use of quantum computers \(\mathsf{QC}^\ell _A\) and \(\mathsf{QC}^\ell _B\) (already defined in Fig. 6 for Theorem 3), simulator \(\mathsf{sim}^\mathrm {qcca2}_E\) making use of quantum computer \(\mathsf{QC}^\ell _E\) as defined in Fig. 7 (until the end), and (trivial) reduction system \(\mathsf{C}\) as specified in the proof, for any distinguisher \(\mathsf{D}\) we have

$$\begin{aligned} \Delta ^{\mathsf{D}}(\pi ^\mathrm {q\text{-}enc}_{AB}\,[\mathsf{KEY},\mathsf{IC}^\ell ,\mathsf{QC}^\ell _A,\mathsf{QC}^\ell _B],\mathsf{sim}^\mathrm {qcca2}_E\,[\mathsf{NMCC}^\ell ,\mathsf{QC}^\ell _E])\le \mathbf {Adv}^{\mathrm {rro}\text{-}\mathrm {qcca2},\ell }_{\mathfrak {S},\mathsf{DC}}. \end{aligned}$$

Proof

The proof of Theorem 4 appears in the full version [5].

Corollary 5

With \(\varepsilon (\mathsf{D}):=\sup _{\mathsf{D}'\in \mathcal B(\mathsf{D})}\mathbf {Adv}^{\mathrm {rro}\text{-}\mathrm {qcca2},\ell }_{\mathfrak {S},\mathsf{D}'}\), we have

$$\begin{aligned} \left[ \mathsf{KEY},\mathsf{IC}^\ell ,\mathsf{QC}^\ell _A,\mathsf{QC}^\ell _B\right] \xrightarrow {\pi ^{\mathrm {q\text{-}enc}}_{AB},\varepsilon } \left[ \mathsf{NMCC}^\ell ,\mathsf{QC}^{\mathrm {qcca2},\ell }_E\right] , \end{aligned}$$

where the class \(\mathcal B(\mathsf{D})\) is defined in Eq. (5).

Using Lemma 3, we finally obtain the following corollary.

Corollary 6

With \(\varepsilon (\mathsf{D}):=\sup _{\mathsf{D}'\in \mathcal B(\mathsf{D})}\mathbf {Adv}^{\mathrm {rrc}\text{-}\mathrm {qcca2},\ell }_{\mathfrak {S},\mathsf{D}'}\), we have

$$\begin{aligned} \left[ \mathsf{KEY},\mathsf{IC}^\ell ,\mathsf{QC}^\ell _A,\mathsf{QC}^\ell _B\right] \xrightarrow {\pi ^{\mathrm {q\text{-}enc}}_{AB},(\ell +1)\cdot \varepsilon } \left[ \mathsf{NMCC}^\ell ,\mathsf{QC}^{\mathrm {qcca2},\ell }_E\right] , \end{aligned}$$

where the class \(\mathcal B(\mathsf{D})\) is defined in Eq. (5).

\({{\mathbf {\mathsf{{RRO\text{-}QCCA2}}}}}\) is Stronger than \({{\mathbf {\mathsf{{CC\text{-}QCNF}}}}}\) . We remark that even though \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) implies \(\textsf {CC\text{-}QCNF}\), the converse is not true for the same reason outlined above for \(\mathsf{QAE}\) and \(\textsf {CC\text{-}QSEC}\): it is possible to show that there are SQESs that satisfy \(\textsf {CC\text{-}QCNF}\) but not \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) by applying the same principle of extending a \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\) secure scheme into one which is not anymore \(\mathsf{RRO}\text{-}\mathsf{QCCA2}\), but still satisfies \(\textsf {CC\text{-}QCNF}\).