[go: up one dir, main page]

Skip to main content

Post-quantum Insecurity from LWE

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13747))

Included in the following conference series:


We show that for many fundamental cryptographic primitives, proving classical security under the learning-with-errors (LWE) assumption, does not imply post-quantum security. This is despite the fact that LWE is widely believed to be post-quantum secure, and our work does not give any evidence otherwise. Instead, it shows that post-quantum insecurity can arise inside cryptographic constructions, even if the assumptions are post-quantum secure.

Concretely, our work provides (contrived) constructions of pseudorandom functions, CPA-secure symmetric-key encryption, message-authentication codes, signatures, and CCA-secure public-key encryption schemes, all of which are proven to be classically secure under LWE via black-box reductions, but demonstrably fail to be post-quantum secure. All of these cryptosystems are stateless and non-interactive, but their security is defined via an interactive game that allows the attacker to make oracle queries to the cryptosystem. The polynomial-time quantum attacker can break these schemes by only making a few classical queries to the cryptosystem, and in some cases, a single query suffices.

Previously, we only had examples of post-quantum insecurity under post-quantum assumptions for stateful/interactive protocols. Moreover, there appears to be a folklore intuition that for stateless/non-interactive cryptosystems with black-box proofs of security, a quantum attack against the scheme should translate into a quantum attack on the assumption. This work shows otherwise. Our main technique is to carefully embed interactive protocols inside the interactive security games of the above primitives.

As a result of independent interest, we also show a 3-round quantum disclosure of secrets (QDS) protocol between a classical sender and a receiver, where a quantum receiver learns a secret message in the third round but, assuming LWE, a classical receiver does not.

The full version of this paper is available online [33].

A. Lombardi—Supported in part by DARPA under Agreement No. HR00112020023, a grant from MIT-IBM Watson AI, a grant from Analog Devices, a Microsoft Trustworthy AI grant, the Thornton Family Faculty Research Innovation Fellowship and a Charles M. Vest fellowship. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

D. Wichs—Research supported by NSF grant CNS-1750795, CNS-2055510 and the Alfred P. Sloan Research Fellowship.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    The same question could also be asked for cryptosystems based on any of the other candidate post-quantum assumptions such as isogenies or even post-quantum secure one-way functions or collision-resistant hashing. We frame our discussion in terms of LWE for concreteness and because our eventual results specifically rely on LWE.

  2. 2.

    We focus on “post-quantum security”, where only the adversary is quantum, but all interaction with the cryptosystem is classical. We distinguish this from what is sometimes called “quantum security” [45], where the cryptosystem needs to also accept quantum inputs. For the latter, it is already known that, e.g., allowing an adversary quantum query access to a PRF may compromise security. We discuss this in detail in Sect. 1.2.

  3. 3.

    Note that PRFs (and other symmetric-key primitives) with public parameters are natural to consider; for instance, the group-based PRFs (e.g., [34]) would naturally have public parameters that include a description of the group.

  4. 4.

    Technically, it may be possible that the completeness error of the IPQ increases non-negligibly if the PRF is only classically secure but not post-quantum secure. But it is easy to solve this by relying on a PRF that is one-wise independent.

  5. 5.

    In this case, we can remove the instruction that \(V_{\textsf{sk}}\) outputs \(v_1\) on the empty string, since we already give out \(v_1\) in the public parameters.

  6. 6.

    For symmetric-key primitives in the public-parameter setting, the secret key of the primitive is generated together with some public parameters that are given to the adversary, but are not otherwise needed for correctness.

  7. 7.

    It is easy to make an IPQ publicly verifiable simply by adding an additional round where the verifier publicly declares whether it accepted or rejected, but this would require 5 rounds and we need 4.

  8. 8.

    A 3-message QDS also implies a 4-message publicly verifiable IPQ. This is shown implicitly by our one-time signature counterexample below, but can be done more directly as follows. Use a QDS to send a random message x and append a one-way function f(x) to the 3rd round; then accept in the 4th round if the prover replies a valid preimage \(x'\) for f(x).

  9. 9.

    This allows us to encrypt a single bit, but we can repeat this in parallel to encrypt a multi-bit message one bit at a time. Security follows via a simple hybrid argument.

  10. 10.

    We think of a \(3 \times 3\) square of bits. The challenge \(q_1\) corresponds to a random row or column (6 possibilities) and \(q_2\) corresponds to a random location inside that row/column. The provers are supposed to answer with \(a_1\) being the 3 bits in the given row/column specified by \(q_1\) and \(a_2\) being the bit in the position specified by \(q_2\). They win if the answers are consistent and if the bits of \(a_1\) have parity 0 when \(q_1\) is a row or parity 1 when \(q_1\) is a column.

  11. 11.

    Unfortunately, if we use this 2-prover non-local game, then the resulting 4-message IPQ cannot be made resettably sound. This is because the challenge \(q_2\) gives information about \(q_1\). By rewinding the verifier and seeing many values of \(q_2\), a classical adversary can learn \(q_1\) and win the game. (Even if the 4-message IPQ was resettably sound, it wouldn’t guarantee that the 3-message QDS would be, because it reveals various GL bits in the 3rd round.) In contrast, in the original instantiation of the [30] framework with the CHSH game and threshold parallel repetition, the resulting 4-message IPQ does not have unique final answers, but can be given resettable security using a PRF to generate \(q_2\), because \(q_2\) is random and independent of \(q_1\).

  12. 12.

    Allowing \(\mathcal{P}^*\) to learn the outcome of the protocol execution is without loss of generality by negligible classical soundness: all executions of the protocol with \(\mathcal{P}^*\) will be rejected with overwhelming probability.

  13. 13.

    Technically, to have \(F_{\textsf{sk}}\) be defined over a fixed input domain, we actually distinguish the cases \(x=(0\Vert p_1\Vert *)\) and \(x=(1\Vert p_1,p_2)\) where \(*\) denotes a 0 padding of appropriate length, and where \(F_{\textsf{sk}}\) outputs \(\textsf{reject}\) on inputs not of this form. We keep the notation of the construction above for clarity of exposition.

  14. 14.

    Technically, we pad the shorter of \(\overline{\textsf{pp}}\) and \(\overline{F}_{\overline{\textsf{sk}}}(x)\) to obtain outputs with fixed length. We define the padding as an independent PRF of the input to conserve pseudorandomness of outputs.

  15. 15.

    In general, the first sender message in the QDS \(s_1\) depends on the message m, and so in general \(\textsf{Setup}\) would take m as input. For simplicity of notation, we note that our construction of QDS above is delayed-input, in the sense that \(s_1\) is computed independently of m, which allows \(\textsf{Setup}\) to be independent of m. Our counterexamples in Sect. 6 would work even if the QDS was not delayed input.

  16. 16.

    Uniform description follows by considering for instance random affine functions over the field \(\{0,1\}^n\) where n denotes the input size, so that hash functions have descriptions \(h=(a,b)\leftarrow \{0,1\}^n \times \{0,1\}^n\).

  17. 17.

    In other words, the quantum attack is a CCA-1 attack.


  1. Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th FOCS, pp. 474–483. IEEE Computer Society Press, October 2014.https://doi.org/10.1109/FOCS.2014.57

  2. Aravind, P.: The magic squares and Bell’s theorem. Technical report (2002)

    Google Scholar 

  3. Arute, F., Arya, K., Babbush, R., et al.: Quantum supremacy using a programmable superconducting processor. Nature 574(7779), 505–510 (2019)

    Article  Google Scholar 

  4. Badrinarayanan, S., Ishai, Y., Khurana, D., Sahai, A., Wichs, D.: Refuting the dream XOR lemma via ideal obfuscation and resettable MPC. ITC (2022). https://eprint.iacr.org/2022/681

  5. Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press, October 2001. https://doi.org/10.1109/SFCS.2001.959885

  6. Bellare, M., Impagliazzo, R., Naor, M.: Does parallel repetition lower the error in computationally sound protocols? In: 38th FOCS, pp. 374–383. IEEE Computer Society Press, October 1997. https://doi.org/10.1109/SFCS.1997.646126

  7. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  8. Bitansky, N., Brakerski, Z., Kalai, Y.T.: Constructive post-quantum reductions. Cryptology ePrint Archive (2022)

    Google Scholar 

  9. Bitansky, N., Shmueli, O.: Post-quantum zero knowledge in constant rounds. In: Makarychev, K., Makarychev, Y., Tulsiani, M., Kamath, G., Chuzhoy, J. (eds.) 52nd ACM STOC, pp. 269–279. ACM Press, June 2020. https://doi.org/10.1145/3357713.3384324

  10. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  11. Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35

    Chapter  Google Scholar 

  12. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21

    Chapter  MATH  Google Scholar 

  13. Brakerski, Z., Christiano, P., Mahadev, U., Vazirani, U.V., Vidick, T.: A cryptographic test of quantumness and certifiable randomness from a single quantum device. In: Thorup, M. (ed.) 59th FOCS, pp. 320–331. IEEE Computer Society Press, October 2018. https://doi.org/10.1109/FOCS.2018.00038

  14. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press, October 2011. https://doi.org/10.1109/FOCS.2011.12

  15. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOC, pp. 209–218. ACM Press, May 1998. https://doi.org/10.1145/276698.276741

  16. Chia, N.-H., Chung, K.-M., Yamakawa, T.: A black-box approach to post-quantum zero-knowledge in constant rounds. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 315–345. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_12

    Chapter  Google Scholar 

  17. Chiesa, A., Ma, F., Spooner, N., Zhandry, M.: Post-quantum succinct arguments: breaking the quantum rewinding barrier. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 49–58. IEEE (2021)

    Google Scholar 

  18. Clauser, J.F., Horne, M.A., Shimony, A., Holt, R.A.: Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett. 23, 880–884 (1969)

    Google Scholar 

  19. Cleve, R., Hoyer, P., Toner, B., Watrous, J.: Consequences and limits of nonlocal strategies. In: Proceedings. 19th IEEE Annual Conference on Computational Complexity, pp. 236–249. IEEE (2004)

    Google Scholar 

  20. Dodis, Y., Jain, A., Moran, T., Wichs, D.: Counterexamples to hardness amplification beyond negligible. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 476–493. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_27

    Chapter  Google Scholar 

  21. Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th FOCS, pp. 523–534. IEEE Computer Society Press, October 1999. https://doi.org/10.1109/SFFCS.1999.814626

  22. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May/June 2009. https://doi.org/10.1145/1536414.1536440

  23. Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  24. Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th FOCS, pp. 102–115. IEEE Computer Society Press, October 2003. https://doi.org/10.1109/SFCS.2003.1238185

  25. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 545–554. ACM Press, June 2013. https://doi.org/10.1145/2488608.2488677

  26. Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: Umans, C. (ed.) 58th FOCS, pp. 612–621. IEEE Computer Society Press, October 2017. https://doi.org/10.1109/FOCS.2017.62

  27. van de Graaf, J.: Towards a formal definition of security for quantum protocols. Ph.D. thesis, University of Montreal (1997)

    Google Scholar 

  28. Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_5

    Chapter  Google Scholar 

  29. Kahanamoku-Meyer, G.D., Choi, S., Vazirani, U.V., Yao, N.Y.: Classically-verifiable quantum advantage from a computational bell test. arXiv preprint arXiv:2104.00687 (2021)

  30. Kalai, Y.T., Lombardi, A., Vaikuntanathan, V., Yang, L.: Quantum advantage from any non-local game. Cryptology ePrint Archive, Report 2022/400 (2022). https://ia.cr/2022/400

  31. Koppula, V., Ramchen, K., Waters, B.: Separations in circular security for arbitrary length key cycles. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 378–400. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_15

    Chapter  Google Scholar 

  32. Lombardi, A., Ma, F., Spooner, N.: Post-quantum zero knowledge, revisited (or: how to do quantum rewinding undetectably). Cryptology ePrint Archive, Report 2021/1543 (2021). https://eprint.iacr.org/2021/1543

  33. Lombardi, A., Mook, E., Quach, W., Wichs, D.: Post-quantum insecurity from LWE. Cryptology ePrint Archive, Paper 2022/869 (2022). https://eprint.iacr.org/2022/869,

  34. Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, pp. 458–467. IEEE Computer Society Press, October 1997. https://doi.org/10.1109/SFCS.1997.646134

  35. NIST CSRC: Post-quantum cryptography. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography

  36. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005. https://doi.org/10.1145/1060590.1060603

  37. Rothblum, R.D.: On the circular security of bit-encryption. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 579–598. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_32

    Chapter  MATH  Google Scholar 

  38. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press, November 1994. https://doi.org/10.1109/SFCS.1994.365700

  39. Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_10

    Chapter  Google Scholar 

  40. Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18

    Chapter  Google Scholar 

  41. Watrous, J.: Zero-knowledge against quantum attacks. In: Kleinberg, J.M. (ed.) 38th ACM STOC, pp. 296–305. ACM Press, May 2006. https://doi.org/10.1145/1132516.1132560

  42. Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: Umans, C. (ed.) 58th FOCS, pp. 600–611. IEEE Computer Society Press, October 2017. https://doi.org/10.1109/FOCS.2017.61

  43. Yamakawa, T., Zhandry, M.: Classical vs quantum random oracles. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 568–597. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_20

    Chapter  Google Scholar 

  44. Yamakawa, T., Zhandry, M.: Verifiable quantum advantage without structure. arXiv preprint arXiv:2204.02063 (2022)

  45. Zhandry, M.: How to construct quantum random functions. In: 53rd FOCS, pp. 679–687. IEEE Computer Society Press, October 2012. https://doi.org/10.1109/FOCS.2012.37

  46. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44

    Chapter  MATH  Google Scholar 

  47. Zhang, J., Yu, Y., Feng, D., Fan, S., Zhang, Z., Yang, K.: Interactive proofs for quantum black-box computations. Cryptology ePrint Archive (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Willy Quach .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lombardi, A., Mook, E., Quach, W., Wichs, D. (2022). Post-quantum Insecurity from LWE. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22318-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22317-4

  • Online ISBN: 978-3-031-22318-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics