Can you sign a quantum state?

Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argue that these features imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we ask: can all forms of signing quantum data, even in a possibly weak sense, be completely ruled out? We give two results which shed significant light on this basic question. First, we prove an impossibility result for digital signatures for quantum data, which extends the result of Barnum et al. Specifically, we show that no nontrivial combination of correctness and security requirements can be fulfilled, beyond what is achievable simply by measuring the quantum message and then signing the outcome. In other words, only classical signature schemes exist. We then show a positive result: a quantum state can be signed with the same security guarantees as classically, provided that it is also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior performance to encypt-then-sign. Quantumly, it is far more interesting: it is the only signing method available. We develop"as-strong-as-classical"security definitions for quantum signcryption and give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to"upgrade"a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and CCA security.


Introduction
The Internet of the future will plausibly include both large-scale quantum computers and highcapacity quantum channels.How will we securely transmit (quantum) data over the resulting "quantum Internet"?Methods based on entanglement (e.g., teleportation) are costly, using many rounds of interaction to build a shared state which must be at least as large as the data itself.Classically, encryption and authentication offer a non-interactive approach with several attractive features: (i.) keys exchanged over public channels, (ii.) a short key suffices for transmitting unlimited amounts of data, and (iii.)security guarantees are maximal for both secrecy and authenticity.Can we encrypt, authenticate, and sign quantum data to the same standard?
Classical digital signatures, for instance, are ubiquitous in everyday cryptography, with applications ranging from secure software distribution and email signatures to e-governance and cryptocurrencies.Given their importance in the classical world, it is natural to ask whether it is possible to devise digital signature schemes for quantum data.Unlike its private-key analogue (see, e.g., [12,14,18,10] and references therein), this question has been considered in only one previous work [7].There, the authors argue in a brief discussion that quantum digital signatures must be impossible.They also suggest that one can use classical public-key cryptography and onetime quantum authentication to build a scheme they call "public-key quantum authentication."However, despite having many clever insights, this work entailed no formal security definitions or rigorous proofs regarding quantum signatures, and the theory remains mostly undeveloped.
In this work, we return to the problem of signing quantum states, with a rigorous and formal approach.We prove that any quantum digital signature scheme that is correct must be insecure.
In addition, we fully address the question of whether there exists any feasible trade-off in security and correctness requirements which makes signing quantum states possible.

Impossibility of quantum signatures
We first define quantum signature schemes, leaving as much room as possible for achievable notions.

Definition 1.1 (informal).
A quantum signature scheme (or QS) is a pair (Sign, Ver) of keyed quantum polynomial time (QPT) algorithms.
• A QS is simply correct if it is correct for N being the identity map.
• A QS is ε-one-time-secure for a map L if, for every adversary A, the "attack map" L • Ver vk • A • Sign sk can be simulated (up to ε loss) by an algorithm which either applies L or discards the input.
Requiring correctness only for certain maps N , or security only for certain maps L, weakens the definition in that the (secure) further use of the verified state is limited.We have relaxed the classical requirement that a signature is additional information that accompanies the message; quantumly, this is impossible due to no-cloning.Instead, correctness requires that (some part of) the message is recovered at verification time.See Section 5.1 for a discussion.
We prove two strong impossibility results.First, we show that full correctness implies negligible security, even in a very weak one-time sense which only guarantees the integrity of the outcomes of a single two-outcome measurement.Second, if we fix a pair of measurements and then ask only for correctness and security of their outcomes, then those measurements must commute.Theorem 1.2 (informal).Let Π be a quantum signature scheme.
1.If Π is correct, then it is at most (1 − negl(n))-one-time secure for any two-outcome measurement M .
The measurement maps above are viewed as channels which measure and then output the outcome, discarding the post-measurement state.This result shows convincingly that signature schemes can only sign classical information.Theorem 1.2 is proven via a reduction that constructs a malleability attack from a distinguishing attack.The key-dependence of the latter prevents an application of the result from [7] and necessitates more refined techniques based on the Stinespring dilation as well as a related approximation result [16].

Quantum signcryption
Our impossibility results appear to be devastating to prospects for public-key cryptography with quantum data.They seem to imply that authenticated communication requires each pair of parties to share a secret key.For networks with a large number of parties, or where parties frequently come and go, this is an unwieldy and highly inefficient solution.
In the second part of our work, we show that this particular application of signatures can still be achieved.The key observation is that impossibility can be circumvented if we also encrypt the message.This rules out public verification (in that case, the adversary can decrypt, making the encryption pointless.)Instead, for each transmission, we select an intended recipient and encrypt using their public key.Classically, such combined schemes are called signcryption, and are of interest only insofar as they provide efficiency gains over combined encryption and signing [21].This is in stark contrast to the quantum world: our results show that signcryption provides the only way to achieve integrity and authenticity without a pre-shared secret.

(signcrypt) SigEnc
In the envisioned usage, each party on a network first runs key generation, publishing their "verify/encrypt key" vek while keeping their "sign/decrypt key" sdk private.When a sender S wishes to send a state σ M to a recipient R, they apply SigEnc sdk S ,vek R using their private key and the public key of R. When R receives the signcryption C , they apply VerDec vek S ,sdk R using their private key and the public key of S. Note that "⊕ 0 ⊥ " above indicates that this process of signcryption followed immediately by verified decryption (with the correct keys) never rejects.We remark that the general definition for the multi-user setting will also need to keep track of "user IDs" in order to prevent identity fraud.

Quantum signcryption security.
Signcryption security is naturally divided into two settings, according to whether the adversary has access to the private key of one of the parties (the sender or the recipient) or not.
First, outsider security ensures that, if S and R are honest parties, then their channel is private and authenticated against adversaries from whom sdk S and sdk R are kept secret.Second, insider security ensures that, if one party's secret key is compromised, the security guarantees ensured by the other party's secret key still hold.If the sender key is revealed, the receiver should still enjoy full privacy.The other case is quantumly unachievable: impossibility for signatures implies that releasing the receiver's secret key results in a forgeable (hence useless) scheme.In particular, quantum signcryption cannot provide non-repudiation.
Formally defining quantum signcryption security is a challenge, as it is analogous to authenticated encryption, a notion which is troublesome in the quantum setting.The usual definitions require the ability to copy and compare previous queries with outputs of the adversary (e.g., to see if the adversary is attempting to decrypt the challenge.)Fortunately, a recent approach [3] shows the way forward on such definitions.The idea is to "split" the standard security game into two experiments: an "unrestricted" experiment and a "cheat-detecting" experiment.In the unrestricted experiment, the adversary freely interacts with SigEnc and VerDec oracles.In the cheat-detecting experiment, the modified signcryption oracle signcrypts half of a maximally entangled state and stores the other half together with the adversary's plaintext.The modified verified-decryption oracle decrypts the input ciphertext, and checks if it is maximally entangled with one of the stored registers; if it is, it returns the corresponding stored plaintext.
Following this approach, we define outsider signcryption security through a pair of experiments, or games, as follows.

Constructions, security proofs
Finally, we give secure constructions for quantum signcryption.Along the way, we also give several new results of independent interest.These results "bootstrap" classical security properties to the quantum setting via a generic classical-quantum hybrid construction Π Hyb [Π, Σ] combining a classical scheme Π with a quantum scheme Σ.The key (or keys) for Π Hyb [Π, Σ] are the same as for Π.To encrypt , we generate a fresh key k for Σ and encrypt with k.Furthermore, we "encapsulate" k by encrypting it with Π and attaching the resulting classical encryption to the encryption of .Decryption first decapsulates the Σ-key k, then uses it to decrypt the rest.Theorem 1.7 (informal).Let Σ be one-time quantum authenticating (cQCA [3].) 2. If Π is a post-quantum AE scheme, then Π Hyb [Π, Σ] is a quantum AE scheme.

Related work
As discussed above, the only previous work which directly addressed our topics of interest1 is Barnum et al.'s work on authentication of quantum states [7].In the realm of signature impossibility, we improve the state of affairs from [7] significantly: we give formal definitions for correctness and security and a rigorous proof of a much stronger impossibility result.Indeed, only classical signatures are possible is a much stronger statement (with far greater implications) than fully-secure signing for all quantum states is impossible.In the realm of possibility, we develop a thorough foundation for the theory of quantum signcryption, which was briefly suggested (and called "public key quantum authentication") in [7].In particular, we give formal definitions for correctness and security, examine insider and outsider attack scenarios, and give constructions and security proofs in the many-time setting (including CPA and CCA security.)Our approach to defining security for quantum signcryption expands the ideas of [3] to the public-key setting.We give a new characterization lemma for encryption schemes which enables this expansion.We also give a generalization of the security proofs of [3,2,8], establishing that classical-quantum "hybrid schemes" inherit the security properties of their component schemes in a very broad setting, including symmetric-key authenticated encryption, public-key encryption, and signcryption.
The security notions from [3] were recently examined from a composable security point of view [6].The conclusion of that work was that the "real/ideal" definition of Quantum Authenticated Encryption from [3] does guarantee composable security.This implies that the strongest notions of quantum singcryption security in this paper are composable as well.

Notation and Conventions
We will largely use the conventions regarding quantum information from [17].We use H M to denote a complex Hilbert space with label M and finite dimension dim M .A quantum register is a physical system whose set of valid states is D(H M ).In our setting, a "quantum register M " is in fact an infinite family of registers {M n } n∈N consisting of p(n) qubits, where p is some fixed polynomial.The notation τ M will mean the maximally mixed state (i.e., uniform classical distribution) 1/ dim M on M .We denote the euclidean norm of a vector, the trace norm of a matrix, and the diamond norm of an operator on a matrix space, by • 2 , • 1 and • , respectively.We set down notation for other norms as we use them.By "QPT" we mean a polynomial-time uniform family of quantum circuits, i.e., an efficient quantum algorithm.Quantum algorithms implement completely positive (CP), trace-preserving (TP) maps, i.e., quantum channels.To indicate that Φ is a channel from register A to B, we will write Φ A→B .We often drop tensor products with the identity, e.g., given a map Ψ BC→D , we will write Ψ • Φ to denote the map Ψ • (Φ ⊗ id C ) from AC to D. For us, all classical schemes will be post-quantum secure, i.e., secure against QPT adversaries.

Quantum and Classical Cryptographic Primitives
We use n to denote the security parameter, and we write it as 1 n in unary form.A function is negligible if it grows asymptotically slower than 1/p(n) for every polynomial p.The notation x $ ← − X means that x is sampled uniformly at random from the set X.

(key generation)
Definition 2.2.A public-key quantum encryption scheme (or PKQE) is defined as a triple of QPT algorithms: 1. (key generation) KeyGen : on input All the spaces have poly(n) bits or qubits; K, K E , K D are classical, and C, M are quantum.We assume w.l.o.g. that dk also includes ek, and k, ek also include n.

Quantum Authentication
Given an attack map Λ CB→C B on a scheme Π = (KeyGen, Enc, Dec) (where the adversary holds B and B), we define the "effective attack map" by where the expectation is over the keys and classical randomness used by Enc.Intuitively, a notion of authentication requires that, conditioned on acceptance, this map is the identity on M .
The standard one-time quantum authentication notion is "DNS" [12].It states that, for any attack map Λ, the effective attack map E k [Dec k • Λ • Enc k ] is equivalent to a combination of the identity and a "discard" map, along with some map on the adversary's private space.This provides for authentication of the plaintext only [3].A stronger notion, called quantum ciphertext authentication (QCA,) prevents any adversarial modification of the ciphertext [3] by placing further constraints on the simulator.Here, we recall both notions.

Definition 2.3 ([12]
).A SKQE Π = (KeyGen, Enc, Dec) is DNS-authenticating if, for any CP-map Λ CB→C B , there exist CP-maps Λ acc B→ B and Λ rej B→ B that sum to a TP map, such that: where While DNS and QCA are information-theoretic notions, it is straightforward to define variants which only require security against QPTs; we denote these by cDNS and cQCA, respectively.In these variants, as well as for security notions that we define in this paper, the condition on the diamond norm is relaxed by only requiring that no QPT adversary can distinguish the real and simulated channels with more than negligible advantage over guessing, i.e., the two channels are computationally indistinguishable.
All of these notions can be achieved with a simple scheme, as follows [1,12,3].The key selects a random element C k of the Clifford group.Encryption maps to C k ( ⊗ |0 n 0 n |) C † k .Decryption undoes C k , and rejects if any of the attached qubits yield a non-zero measurement.

Quantum Secrecy
For encryption schemes, basic secrecy is straightforward to generalize to the quantum case, and yields the QIND, QIND-CPA, and QIND-CCA1 notions [2,8] which are quantum analogues of the corresponding classical security notions.The quantum counterparts of stronger notions like IND-CCA2 or authenticated encryption (AE) require much more care; fortunately, a recent work showed that a solution is possible [3].
For SKQE schemes, we follow [3] for the notion of quantum authenticated encryption (QAE), while for PKQE schemes, we formally define the novel notion of quantum indistinguishability under adaptive chosen-ciphertext attack (QIND-CCA2) in Section A.3.However, to simplify exposition, we will focus on the (weaker) plaintext security (cDNS-based) variants of these two notions.This means that we only check whether the adversary is attempting to 'cheat' on the level of plaintexts, as in Experiment 1.5.We attach a "w" to the acronyms to indicate this distinction, and define these notions formally in Section 3. We use this approach for ease of exposition only: In Section 7.3, we describe how to extend all our results on signcryption to the full, ciphertext-secure setting.

Weak CCA2 Security for Public-Key Quantum Encryption
In Section A.3 we first formally define CCA2 security for PKQE schemes.Therein, we follow the route of symmetric-key quantum encryption schemes by adopting techniques from [3].
However, in the present work, for ease of exposition, we start by using integrity check techniques based on the simpler and more familiar DNS notion of plaintext authentication instead of the more refined notion of QCA from [3].Therefore, in this section we define a cDNS-style version of QIND-CCA2, which we call weak CCA2 (QIND-wCCA2).Here, intuitively, the decryption oracle refuses to decrypt any ciphertext that decrypts to the challenge plaintext.This, in particular, has the advantage that the analysis in this section applies to all quantum encryption schemes (see [3] for details).On the other hand, this approach requires the repeated application of the Gentle Measurement Lemma [20], and can therefore only be fulfilled by schemes with plaintext spaces of large dimension, with a loss in the tightness of the resulting reductions.While not providing the best possible quantum counterpart to IND-CCA2, this notion fits the simplified framework of this work, and the upgrade to QIND-CCA2 via the QCA-based setting is straightforward as discussed in Section 7.3.See Section A.3 for a formal definition of the upgraded notion.
We define QIND-wCCA2 in terms of adversaries playing two games.The first game is the same as QCCA2-Test from [3] for the symmetric-key case, except that the Enc oracle is replaced by the public key; in this game there are no restrictions on the use of Dec dk by A 2 .In the cheat-detection game QwCCA2-Fake, instead, the adversary is declared to cheat whenever he replays the challenge state (and declared to cheat anyway with probability 1/2 otherwise).The only difference in respect to QCCA2-Fake from [3] (beyond the replacement of the Enc oracle with the public key), is that the challenge-replay test is done cDNS-style (detecting plaintext replay) instead of cQCA-style (detecting ciphertext replay), as discussed above.
(3) if the outcome is 1 then: abort and output cheat; else return M ; We define QIND-wCCA2 in terms of the advantage gap of adversaries between the two games.
Clearly, because an adversary for QIND-wCCA2 is also an adversary for QIND-CCA1 with additional power and additional constraints on the scheme itself, we see that QIND-wCCA2 implies QIND-CCA1 and hence also QIND-CPA.Proposition 3.4.Let Π be a QIND-wCCA2 PKQE.Then Π is also QIND-CCA1 and QIND-CPA.

Weak QAE for Symmetric-Key Quantum Encryption
Here we define a "weak" (cDNS-style) version of the notion of quantum authenticated encryption QAE for SKQE schemes, that we denote as wQAE.This will be used in Section 7.1.We start from the QAE-Real and QAE-Ideal games defined in [3] for QAE, but in the latter game we replace the cQCA-style replay check by a cDNS-style replay check.We call the new game wQAE-Ideal.

3: define channel D C→M as follows:
(1) apply Dec k to C, place results in M ; (2) for each (M , M ) ∈ M do: A SKQE is now defined to be weak quantum authenticated encryption (wQAE) if no QPT adversary can reliably distinguish the two.

Definition 3.7. A SKQE Π is wQAE if for all QPT adversaries A it holds:
Analogously we say that a classical SKE scheme is wAE secure if it fulfills the classical restriction of the above (see [3]), defined by games AE-Real and wAE-Ideal, following the real vs ideal characterization of AE by Shrimpton [19].Clearly, because an adversary for wQAE is also an adversary for QIND-CCA1 with additional power and additional constraints on the scheme itself, we see that wQAE implies QIND-CCA1 and hence also QIND-CPA.Proposition 3.8.Let Π be a wQAE SKQE.Then Π is also QIND-CCA1 and QIND-CPA.

Basic Definitions
In this section we study the security of canonical SKQE and PKQE schemes constructed in a hybrid classical-quantum way.Namely, we will use a classical SKE (or PKE) scheme to encrypt a random one-time key, and then use that key to encrypt a quantum state with a (usually one-time secure) SKQE.We denote the resulting construction of symmetric-(resp., public-) key quantum encryption by Π Hyb SKQE (resp., Π Hyb PKQE ).

Security of Hybrid Symmetric-Key Encryption
We now show that the hybrid construction for symmetric-key schemes, Π Hyb SKQE , can be used to lift the security of a SKQE scheme from cQCA to QAE, by combining it with a classical AE scheme.We begin by defining a hybrid game Hybrid 0, modifying the encryption and decryption routine.For encryption, we replace the encrypted one-time key k used for Enc Qu by an encryption of a freshly sampled key k ← KeyGen Qu and store (k , k ) in a database S. For decryption, we first decrypt the classical part of the ciphertext and check whether the result is equal to one of the k in S. If not, return ⊥, if so, use the corresponding k to decrypt the quantum ciphertext and return the result.Suppose now that there exists an adversary A that can distinguish QAE-Real and Hybrid 0. Then we can build an adversary A' that distinguishes the real and ideal worlds, AE-Real and AE-Ideal, in the characterization of AE.This is done by simulating the QAE-Real game played by A, assuming we are in the AE-Real world.It turns out that this results in A' simulating Hybrid 0 when in the AE-Ideal world.Hence QAE-Real and Hybrid 0 are indistinguishable by the AE security of Π Cl .
We continue to show that the experiments Hybrid 0 and wQAE-Ideal are indistinguishable due to the cDNS security of Π Qu .
We proceed using a standard hybrid method over the encryption queries of A. We define Hybrid i to replace the quantum plaintext by half of a maximally entangled state for the first i queries, storing the other half together with the pair (k , k ) and the plaintext.For the remaining queries it behaves like Hybrid 0. The decryption routine behaves like in Hybrid 0, unless the presented onetime key matches one from the first i queries, then it performs the entanglement check measurement as in wQAE.
We will now use the cDNS security of Π Qu .Applying the definition of cDNS to the outputs of an attack map Λ C→C sequentially shows that cDNS security also implies the existence of a simulator in the case of one encryption, but many decryptions.Here, the simulator has the form where B is the adversary's side information register.This is proven in detail in Lemma A.1.We can replace the combination "i + 1-st encryption -attack -decryptions matching k i+1 " by this simulator in both Hybrids i and i+1, yielding Hybrids i a and (i+1) b which are indistinguishable from Hybrids i and i + 1, respectively.It remains to observe that the entanglement tests in Hybrid i + 1 exactly project onto the respective identity contribution of Λ Sim (a similar idea to the Broadbent-Waynewright simulator [9]), i.e.
B→B . ( This immediately implies that Hybrids i a and (i + 1) b are identical.We conclude that Hybrid 0 and Hybrid q are indistinguishable.It remains to show that Hybrid q and wQAE-Ideal are indistinguishable.This follows by Gentle Measurement [20]: every time the entanglement test is applied to the current plaintext and an unrelated purification, the state remains unperturbed.

Security of Hybrid Public-Key Encryption
In this section, we prove the security of the hybrid construction Π Hyb PKQE under suitable building blocks.For PKQE schemes, the notions of QIND-CPA and QIND-CCA1 are defined in [2,8], where the adversary A = (A 1 , A 2 ) consists of two parts (pre-challenge and post-challenge), and is playing against a challenger C, which is a fixed algorithm determined only by the security game and the scheme.The security of the hybrid construction Π Hyb PKQE for these two notions is trivial.
Proof.We will prove the CPA case; the CCA1 case is essentially identical.For a contradiction, let A be a QPT machine which wins the QIND-CPA game against Π Hyb PKQE [Π PKE , Π SKQE ] with probability 1/2 + δ where δ is non-negligible in n.Let A 1 and A 2 be the pre-challenge and post-challenge algorithms of A. Define an adversary A against Π PKE as follows.The pre-challenge algorithm A 1 accepts ek, runs ← A 1 (ek), and outputs m ← KeyGen SKQE (1 n ).The post-challenge algorithm A 2 , on input c, proceeds as follows: We now prove that the hybrid construction Π Hyb PKQE also inherits (cDNS-style) CCA2 security from the underlying PKE, provided the underlying SKQE is now not only QIND, but also (cDNS-style) authenticating.
Theorem 4.5.Let Π PKE be an IND-CCA2 PKE scheme, and let Π SKQE be a cDNS-secure SKQE scheme.Then Π Hyb PKQE [Π PKE , Π SKQE ] is a QIND-wCCA2-secure PKQE scheme.Proof sketch.(For details, see Section A.2). We follow the same strategy as the proof of QIND-CPA security, i.e., Theorem 4.4.Specifically, given an adversary A which can distinguish the "test" and "fake" games, we will build an adversary A against the CCA2-secure classical public-key scheme.This adversary proceeds as follows: (1.) pass the input (1 n and the public key ek) to start A; (2.) simulate each decryption query in the obvious way: query the PKE Dec oracle on the classical part of the input, then decrypt the quantum part using the resultant plaintext as the SKQE key.(3.)When A outputs the challenge , send a fresh one-time key k as our IND-CCA2 challenge, receive the challenge PKE ciphertext c back.(4.)Now flip a coin b to decide whether, for the remainder of the game, we will simulate the "test" game (b = 0) or the "fake" game (b = 1) with A. In the case "test", we will use the challenge ciphertext (c, Enc QCA k ( )).Clearly, in this case, we can faithfully simulate the rest of the game.(5.) if A correctly guesses b, we output 0. If not, we output a fair coin.
We argue that A wins the PKE IND-CCA2 game with non-negligible advantage over random guessing.First, if the PKE challenge bit is 0 (i.e., undisturbed challenge), then we are faithfully simulating A in either the "test" or the "fake" games.We will thus gain precisely the advantage of A over random guessing, in this case.It remains to check that, if the PKE challenge bit is 1 (i.e., discarded challenge), then A does no worse than random guessing.This is done by reduction to cDNS security.Note that, in this case, the SKQE encryption provided to A is performed with a key k which is independent of all other random variables in the game (since c is an encryption of a random string, and not k.)If the adversary can nonetheless distinguish the "test" game from the "fake" game, then (by the definition of these games) this implies that he cannot be simulated by an "ignore or discard" channel demanded by the cDNS security definition.
The above theorem also extends to the stronger ciphertext security (cQCA-based) case, yielding QIND-CCA2 hybrid PKQE, as defined in Section A.3.We can now summarize all the results discussed in this section.

Defining Quantum Signatures
In this section we discuss how to properly define in a formal way what a quantum signature scheme should be.A first attempt would be to translate "quantumly" in the most natural way the usual definition of classical schemes; that is, trying to define the following.Moreover, the following correctness property must hold: Looking at the above definition, it is clear that there is an issue: the Sign and Ver procedures consume the same message state.This is impossible in the quantum setting, given the no-cloning theorem 2 .A natural "fix" would be to make sure that both the Sign and Ver algorithms output an unmodified copy of the message state.This would lead to the following.Definition 5.2 (Quantum Signature, Wrong Definition #2).A quantum signature scheme (or QS) with signing-verifying key space {S n } n × {V n } n (where {S n } n and {V n } n are family of spaces of bitstrings of size polynomial in n), message space P and signature space C (both being complex Hilbert spaces of fixed finite dimension) is a triple of QPT algorithms: 1. (key generation) KeyGen : on input 1 n , outputs signing-verifying key pair (sk, vk) ∈ S n × V n , where we assume w.l.o.g. that sk includes vk, and vk includes n.

(Sign)
Sign: on input a signing key sk ∈ S n and a quantum state µ ∈ D(P), outputs two quantum states: a quantum message µ ∈ D(P) and a quantum signature σ ∈ D(C); we write this as (σ, µ ) ← Sign sk (µ).Moreover, the following correctness properties must hold:

(Verify
It is easy to notice that this definition also has problems.First of all, the conditions on the signing map are too strong, as they imply (again by no-cloning) that the signature cannot be noticeably correlated with the message state itself.This would make the goal of achieving any reasonable security notion hopeless.The third correctness condition is also unnecessarily strong, as it requires that the original state is recovered even when verification fails.
This finally leads to the following definition.

(sign) Sign
Due to no-cloning, we relaxed the classical requirement that a signature is an additional string accompanying the message.The key space K S × K V is a family of sets of bitstrings of size poly(n), and M and C are quantum registers of poly(n) qubits.In a typical setting, the verification key vk will be public, while the signing key sk stays private.Since our goal is to show impossibility, we define correctness separately from the basic definition and allow for schemes with very weak guarantees.
Recall that a projector P defines a two-outcome measurement channel for all (sk, vk) ← KeyGen(1 n ).More generally, given a finite set N of two-outcome measurements on for all (sk, vk) ← KeyGen(1 n ) and all N ∈ N .
Definition 5.5.Let L be a finite set of two-outcome measurements on the space H M ⊕ |⊥ .A QS is ε-one-time L-secure if, for any QPT adversary A, for all L ∈ L there exists a probability p ∈ [0, 1] such that Here, ⊥ denotes the reject map X → |⊥ ⊥| ⊗ Tr(X).The constraint (4) is essentially a weakened version of the DNS authentication security definition [11], adapted to the public-key case.It is weakened in three ways: (i.) we only ask for computational security, (ii.) the adversary does not hold any side information about the plaintext, and (iii.)security only holds for the selected set of measurements.Note that correctness and security are not required to hold for the same set of measurements.In any case, as we will show next, even such security cannot be achieved except for trivial choices of N and L.

Impossibility of Quantum Signatures
First of all we recall (a quantum channel version of) Uhlmann's theorem [16].In the following, we will denote the operator norm by • ∞ .
Theorem 5.6 (Theorem I in [16]).Let T (i) A→A , i = 1, 2 be quantum channels with the same input and output systems, and let U (i) A→AE be Stinespring dilation isometries of T (i) .Then there exists a unitary To prove our strong impossibility result, we will need the following technical lemma characterizing quantum encryption.Lemma 5.7 (generalization of Lemma B.9 in [4]).Let Π = (KeyGen, Enc, Dec) be a PKE with exact (approximate) correctness.Then Enc and Dec have the following form, for every key pair k = (dk, ek): Here, σ k is a state on register T , P σ k T and P σ k T is an orthogonal projector such that P σ k T σ k P σ k T −σ k is negligible, V k is a unitary operator and ε is negligible.Proof.To simplify notation, we fix a key pair k and omit all key subscripts.We indicate input and output systems for channels, and support systems for operators, using subscripts as necessary.Let (U ) M →CE , and (W ) C→M F , be Stinespring dilation isometries of Enc, and Dec, respectively, i.e., Enc(X) = Tr E U XU † and Dec(Y ) = Tr F W Y W † .Now, ε-approximate correctness together with Theorem 5.6 implies that there exists a pure state |φ EF such that Let ŴCR→MF be a unitary such that ŴCR→MF |0 R = W C→M F .Such a unitary exists without loss of generality (If C does not divide M F , we can just pick a bigger F ).By unitary invariance of operator norm, by the sub-multiplicativity of the operator norm.Let be the singular value decomposition of the second matrix.Equation 5 implies M F →CR |φ EF is an isometry.Combining Equations ( 5) and ( 6), we arrive at where the first inequality is due to the definition of the diamond norm and the fact that the trace norm is non-increasing under partial trace, and the second inequality is a double application of Hölder's inequality.Ẽ nc has the form we want, although this fact is still quite hidden.To show it, we define and letting V be a completion of Aκ −1/2 to a unitary shows now that Ẽ nc has the desired form.For notational convenience, define δ = ε + 4 √ ε.To show the form of the decryption map, observe that, again by Theorem 5.6, there exists a possibly different Stinespring dilation isometry W C→CT for Dec and a state |φ k ET such that In particular, there is a unitary with Let P T = i:qi≥(4δ) 1/6 |γ i γ i |.Then we get where we have used Equation 8 and the fact that rkP ≤ 1 (4δ) . Using that W is a Stinespring dilation isometry for Dec shows the second claimed inequality.
Note that the behavior of Dec dk can be arbitrary outside of the range of The standard behavior is to output the reject symbol ⊥ when presented with an invalid ciphertext.This lemma gives an information-theoretic characterization of the channels Enc ek , Dec dk ; this is why it's ok that V and σ are indexed by the keypair.This does not guarantee that Enc ek can be efficiently implemented in this form: knowledge of ek alone is not enough to efficiently implement σ k and V k (otherwise it would also be enough to decrypt!).In actual schemes, ek is enough to efficiently implement σ k and V k on relevant inputs for encryption 3 .By viewing σ dk in its eigenbasis, we see that the characterization can be enhanced so it only uses classical randomness.
Corollary 5.8.Let Π = (KeyGen, Enc, Dec) be a PKQE.Then for every key pair k := (ek, dk), there exists a probability distribution p k : {0, 1} t → [0, 1] and a family of quantum states |ψ (k,r) T such that Enc k is equivalent to the following algorithm: (i.) sample r ∈ {0, 1} t according to p k ; (ii.) apply the map X Here V k and T are as in Lemma 5.7, and t is the number of qubits in T .
Importantly, even if Enc k is a PPT algorithm, the functionally-equivalent algorithm provided by Corollary 5.8 may not be.We thus define the following.Condition 5.9.Let Π be a PKQE, and let p k , |ψ (k,r) and V k be as in Corollary 5.8.We say Π satisfies Condition 5.9 if there exist QPTs for (i.) sampling from p k , (ii.) preparing |ψ (k,r) , and (iii.)implementing V k on inputs of the form ⊗ |ψ (k,r) ψ (k,r) |, and this holds for all but a negligible fraction of k and r.
We stress that we are not aware of any known or trivially defined construction of PKQE where Condition 5.9 does not hold.
We will now show that a QS cannot be both correct and secure for a pair of measurements unless those measurements commute, in the sense that their sequential application yields the same outcome distribution no matter the order.Recall that a measurement M also defines an instrument, i.e., a measurement map that keeps the post-measurement state, by In the following theorem, the composition of measurements is understood to mean that the instrument of the first measurement is applied and the the second measurement acts on the postmeasurement state of the first one, i.e.
The index of the outcome register R is tied to the index of the instrument, not to the order the measurements are performed, i.e.
Proof.The plan is as follows.The scheme is correct for M 0 , the two-outcome measurement defined by a projector P 0 .Using this, one can show that running the verification circuit (without discarding qubits, and delaying measurements), applying the reflection unitary U = 1 − 2P 0 and running the inverse of the verification circuit, produces a valid signed state.More precisely, if the described attack is applied to a signed state obtained from signing |ψ , the resulting state is a signed state that can be also obtained from signing U |ψ .But if M 0 and M 1 don't commute, then the unitary U changes the outcome of M 1 .Therefore the measurements have to commute, up to an error equal to the soundness error ε.We now explain the details.Assume that there exists efficiently preparable M R such that Let |ψ M RE be an efficiently preparable purification of of M R .Let P i be the projector for the outcome 0 of M i , for i = 0, 1.The assumption (13) implies w.l.o.g. that Define the reflection unitary U i = 1 − 2P i .We would like to show that an application of U 0 to |ψ changes the outcome of M 1 .We calculate Now we use Equation ( 14) and rewrite the left hand side as where we have added a zero in the second equality and used the triangle inequality.In particular we obtain the inequality Putting Equations ( 14), (15) as well as its counterpart with 0 and 1 interchanged, and ( 17) together we arrive at the conclusion that either or this equation holds with 0 and 1 interchanged.Assume w.l.o.g. that Equation ( 18) holds.Consider the adversary A that applies a Stinespring dilation of the verification algorithm, performs the unitary U 0 and then undoes the verification.This adversary produces a valid signed state by linearity.Indeed, let (vk, sk) be a given key pair, and V sk and W vk be Stinespring dilations of the signing and verification algorithms, respectively.Let furthermore P0 = W † vk P 0 W vk .By the correctness of the QS for M 0 , we have that P0 V |φ 2 2 − P 0 |φ 2 2 ≤ negl(n), for all |φ , so in particular P0 V P 0 |ψ 2 − V P 0 |ψ 2 ≤ negl(n), which implies P0 V P 0 |ψ − V P 0 |ψ 2 ≤ negl(n) and similarly P0 V (1 − P 0 )|ψ 2 ≤ negl(n).Together, these inequalities yield P0 V |ψ − V P 0 |ψ 2 ≤ negl(n) and therefore where Ũ0 = W † vk U 0 W vk .This shows that the attack U 0 produces a valid ciphertext.Because of correctness of the QS for M 1 we have that and the ε-one-time security implies that Combined with Equation ( 19) we therefore get and hence, using Equation (20), Via Equation (18), this is a contradiction to assumption (13) as long as δ ≥ ε + negl(n), which finishes the proof.
Note that for logarithmic-size message space, the conclusion of Theorem 5.10 is equivalent to an upper bound on the commutator of the projectors forming the measurements M i , as then all states are efficiently preparable.
Theorem 5.10 shows that simultaneously signing different properties of a quantum state is only possible if these properties are essentially classical, implying that the best possible security can be achieved by just measuring the M i sequentially (while at most incurring an error equal to the soundness parameter ε plus a negligible function) and then signing the outcome classically.This protocol would, however, destroy any quantum properties of the message state, even if no attack occurs!The following complementary impossibility result indicates that part of this loss of quantum information is unavoidable: If we require full correctness for a QS in the sense that the composition of Sign sk and Ver vk yields the identity channel on the plaintext space, no security can be achieved.The proof uses a similar idea as in Theorem 5.10 (Stinespring, malleability unitary, un-Stinespring), details can be found in Section A.4. Theorem 5.11.Let Π = (KeyGen, Sign, Ver) be a correct QS, and let M be a non-trivial twooutcome measurement.Then Π is at most (1 − negl(n))-one-time {M }-secure.

Some variants
Here we briefly discuss how the above impossibility results also extend to other, a priori plausible, definitions of quantum digital signatures.
First, one might ask for a weak form of signatures where the receiver can either recover the message or check the authenticity (but not both.)Unfortunately, any useful formulation of this kind is likely to imply strong signatures via quantum error correction: first encode the message, then "weak-sign" the qubits; during verification, check a random subset of the qubits (at most half the code distance) and then use decoding to recover the message.
Second, one might try quantum keys.In [13], quantum keys are used to achieve informationtheoretically secure signatures for classical messages; the public key is a quantum state, a copy of which can be requested by anybody.Doing this for quantum data must fail by the same arguments as in the proofs above: by correctness, an attack using the reflection corresponding to one of the signed measurements will implement the desired attack and leave the copy of the public key undisturbed.This implies impossibility even in a weaker model where the adversary has to hand back the public key.
Finally, we might give the signer several copies of the message state, only one of which must be recovered by the verifier.However, no-cloning states that the "valid/invalid" bit output by verification cannot depend on the copy of the message recovered by the verifier.An adversary can thus run the same attack as in the proof of Theorem 5.11.After that, there is of course a mismatch between the plaintext message encoded in the signed message and any other parts that were created from the consumed message copies.As we observed, no-cloning tells us that this mismatch cannot be detected by the verification algorithm.

Quantum Signcryption: Basic Ideas
As we saw in Section 5, signing states for public verification is impossible.We thus must resort to using secret verification.This might seem to imply that we have to use secret-key authentication schemes, which come with a dramatic cost: all pairs of parties wishing to communicate must share a key secret to that pair.As it turns out, there is a far better option: signcryption [21,5].
In this section, in order to simplify the exposition, we start by addressing the basic scenario of one-time security for the two-users setting.We will expand to the more general case of many-time security for the multi-user setting in Section 7.
6.1 Definition, Some Basic Facts, and a Construction

The basic notion
Consider m parties who require pairwise authenticated and encrypted communication.This can be done via symmetric-key authenticated encryption, at a cost of a quadratic number of key-exchange executions.Moreover, each party would need to store m keys, and adding any new parties would require another round of m key-exchange executions.
With signcryption, each party needs only to run key generation privately, publish their public key, and keep their private key.Sending a message is now a matter of "signcrypting" with the sender's private key ("sign") and the receiver's public key ("encrypt.")Receiving a message requires "verified-decrypting" with the sender's public key ("verify") and the receiver's private key ("decrypt.")Adding new parties is trivial.

One-Time Signcryption Security
We now consider the simplest nontrivial setting of quantum signcryption: a single sender S sends a single signcrypted state to a single receiver R. Our goal here is to describe the most basic setting of interest, with definitions and security notions that require only minimal familiarity with previous work on quantum encryption and authentication.We will build up to the full setting in Section 7.

Outsider security
In this setting, a third-party A attacks the channel between S and R. First, A convinces S to signcrypt any message; then A freely manipulates the resulting signcryption, finally convincing R to unsigncrypt.Experiment 6.5.Let Π = (KeyGen, SigEnc, VerDec) be a QSC.An outsider attack (in the one-time, two-user setting) by a QPT A proceeds as follows. 1.
and vek R to A. We refer to A as an outside attacker, and define the (averaged) effective map where the expectation is over the keys and classical randomness.Our security definition will be based on (the computational version of) DNS security notion for one-time quantum authentication [12,9], adapted to our setting.Specifically, we will require that any (efficient) outside attack amounts to a trivial choice of effective map: implementing the "identity map" or the "discard map" on the plaintext space, with the latter resulting in a reject.Definition 6.6.A QSC Π is (one-time, two-user) outsider-secure if, for every QPT outside attacker A, there exists a QPT simulator Φ M B→M B of the form which is computationally indistinguishable4 from Λ(A,S,R) , and where Φ acc and Φ rej act on B only.
A strengthening Note that both SigEnc and VerDec receive, in addition to their input, a private parameter (i.e., sdk) and a public parameter (i.e., vek.)It is thus reasonable to define a stronger notion of security, where the adversary can set these parameters for the oracle calls occurring in the "Signcrypt" and "Attack, unsigncrypt" phases of Experiment 6.5.Indeed, this models a very plausible real-world attack.Since our goal here is to develop the one-time setting as a minimal first stepping stone, we will examine this stronger security model later in Section 7.

Insider security
An outside attacker knows all but two pieces of information: the private keys of S and R. In "insider security," we consider the case where one of these private keys is known to the attacker (if both are, security is impossible.) Insider security of sender First, consider the case of an adversary in possession of sdk R .The private information is now only sdk S , and the public information (i.e., the information accessible by the adversary) is sdk R , vek R , vek S .This means the adversary can unsigncrypt, so we can't expect S to maintain any secrecy.Can S expect unforgeability?If yes, then this would yield (as in Proposition 6.2) an unforgeable quantum signature scheme with secret signing key (sdk S , vek R ) and public verification key (vek S , sdk R ).)However, the impossibility results of Section 5 state that this induced signature scheme cannot satisfy even the most minimal security requirements.It follows that quantum signcryption cannot fulfill any insider security guarantees in this case.
Recall that non-repudiation is a property of classical digital signatures.It means that, due to unforgeability, the recipient R of a document m signed by a sender S can present the document and signature to a third party (e.g., the judge) as evidence that m was indeed signed by S. If quantum signcryption is used instead, our impossibility results tell us that R will be able to forge signcryptions; so, non-repudiation is impossible to achieve quantumly.
Insider security of receiver It remains to consider insider security where the adversary has sdk S .The private information is now only sdk R .By Proposition 6.3, Π is now a PKQE scheme, with secret decryption key (sdk R , vek S ) and public encryption key (sdk S , vek R ).Definition 6.7.A QSC Π is (one-time, two-user) insider-secure if the PKQE scheme induced by making the sender key public (i.e., via Proposition 6.3) satisfies QIND-CPA.
As with outsider security, we will not (yet) concern ourselves with adversaries who can select the key parameters of the SigEnc and VerDec calls.This will be considered as part of the many-time security scenario in Section 7.
We remark that the above definitions of one-time security translate directly to the classical setting, by using standard notions of classical unforgeability and secrecy (see, e.g., [15]) and plugging them into Definition 6.6 and Definition 6.7.

Achieving one-time outsider and insider security
We now show that the hybrid scheme (with appropriate components) achieves one-time security.Theorem 6.8.Let Π SC be a classical signcryption scheme with one-time outsider and insider security.Let Π SKQE be a cDNS-secure SKQE scheme (Definition 2.3).Then Π Hyb QSC [Π SC , Π SKQE ] (Construction 6.4) is a one-time outsider-secure and insider-secure QSC.
Proof.We provide a brief sketch; for the full proof see Section A.5.
Insider security follows from the QIND-CPA security of the hybrid PKQE construction (i.e.Theorem 4.4) and the fact that cDNS implies QIND [7,4].For outsider security, given an attack map Λ, we will construct a simulator as mandated by Definition 6.6, by using the cDNS security of Π SKQE .First, if Λ modifies the classical part c of the ciphertext, the decryption function will reject with overwhelming probability due to the unforgeability of Π SC .So we are free to assume Λ does not change c.Thus we can replace c by a fresh, unrelated c (by IND-CPA of Π SC ) provided we swap c and c back right before decryption.Since the quantum and classical parts of the ciphertext are now independent, we can view the adversary's channel on the quantum part as a cDNS attack against Π SKQE .Since Π SKQE is cDNS secure, this attack has a simulator Φ which (effectively) ignores the quantum plaintext or discards it.This in turn yields a simulator Λ for Λ: apply Φ to the quantum part, and the identity to the classical part.The guarantees provided by cDNS on Φ ensure that Λ satisfies the conditions of Definition 6.6.
To get an explicit instantiation, we can let Π SC be a classical signcryption scheme constructed, e.g., from Lamport signatures and standard post-quantum IND-CPA public-key LWE encryption via "encrypt-then-sign," and let Π SKQE be the scheme Enc

Insider security
As before, the remaining conditions to consider amount to allowing the adversary access to the private key of either S or R (but not both) which we can simply view as one of the two parties (S or R) attacking the other.Also as before, the impossibility results for quantum signatures (Section 5) imply that one cannot expect any security in the case where R is the adversary.It remains to consider the case where S is the adversary, and ask if the secrecy of R can be preserved.Here we ask for the strongest notion of secrecy, which is QIND-CCA2.Definition 7.4.A quantum signcryption scheme Π is (many-time, two-user) insider-secure if the public-key quantum encryption scheme induced by making the sender key public (i.e., via Proposition 6.3) satisfies QIND-CCA2.
As usual, we will first focus on the weaker, plaintext-only (cDNS-style) QIND-wCCA2 notion.

Achieving many-time, two-user security
It turns out that the hybrid signcryption scheme can achieve both outsider and insider (sender) security even in the many-time setting, given a sufficiently strong classical component.This is proven in Section A.6.Theorem 7.5.Let Π SC be a many-time, two-user, outsider-and insider-secure signcryption.Let Π SKQE be a cDNS-secure symmetric-key quantum encryption.Then Π Hyb QSC [Π SC , Π SKQE ] (Construction 6.4) is a quantum signcryption scheme which is (many-time, two-user) outsider-secure and insider-secure.

Upgrading to the Multi-User Setting
In the multi-user setting there are different users, each with unique "IDs."We denote the ID of a party P by ID P ∈ I.We assume that there is an efficient public lookup for the map ID P → vek P (this is usually achieved by a root of trust, PKI, or similar).In this setting we need to change the syntax of signcryption in order to account for the adversary's ability to spoof sender's and/or receiver's identities.In order to protect the scheme against these attacks we need to bind the users' identities to the corresponding keys, and impose extra correctness conditions based on the match between identities and keys.There are various ways to achieve this; we opt for the simplified notation below.In particular, we assume that every user P has a single keypair (it is possible to remove this restriction, e.g., by adding a key index to the output of KeyGen and managing the index together with the identities.)Definition 7.6.A (multi-user) quantum signcryption scheme (or muQSC) is a triple of QPT algorithms: for all (sdk P , vek P ) ∈ supp KeyGen(1 n , ID P ), and where we assume w.l.o.g. that sdk P also includes vek P , and vek P also includes 1 n and ID P , for every (sdk P , vek P ) ← KeyGen(1 n , ID P ), ∀ P ∈ I.
The output of VerDec sdk R ,vek S includes user identities.Correctness demands that such identities are the ones corresponding to the keys used in SigEnc.In theory nothing forbids a malicious adversary from modifying a ciphertext such that the resulting identities output by VerDec are different.In this sense, an "identity fraud attack" for signcryption in the multi-user setting results in a forgery attack.

Outsider security
The scenario here is similar to outsider security for the two-user setting: an external adversary A mounts an attack against a sender/receiver pair (S, R).However, there are two fundamental differences: (1.) there are many users in I, and hence many possible (S, R) pairs; and (2.) beyond the "usual" attack scenarios covered by the two-user case, A might be able to attack the signcryption scheme by performing identity fraud (i.e., spoofing the identity of the sender or the receiver of a signcrypted message).Dealing with the latter is easy: as in Definition 7.6, in order to mount an identity fraud attack A has to modify the identities output by the VerDec algorithm.This means that such attacks are actually a special case of message forgeries, which are already covered by the real vs.ideal approach in the outsider security scenario of Section 7.1.
The other issue is more subtle.There might be insecure schemes which produce weaker keys for certain user IDs, or there might be schemes where the compromise of a certain number of users (and hence knowledge of their secret keys) also compromises the security of other users.In order to deal with all these scenarios, we will adopt a very conservative approach: (1.) the adversary is given the possibility of choosing S and R among I; and (2.) the adversary receives the secret keys of all the other users.
We define the modified experiments M-Out-Real and M-Out-Ideal accordingly, and security is given as usual in terms of indistinguishability of the two.
Experiment 7.7.The multi-user real outsider experiment M-Out-Real(Π, A, n): 1: for every ID P ∈ I do: (sdk P , vek P ) ← KeyGen(1 n , ID P ).2: A gets as input 1 n , I, and the list of all public keys {vek P } for all ID P ∈ I; 3: A outputs two identities S, R ∈ I; 4: A receives the list of all secret keys {sdk P } for all ID P ∈ I \ {S, R}; 5: return the output of A SigEnc S,R ,VerDec S,R .Experiment 7.8.The multi-user ideal outsider experiment M-Out-Ideal(Π, A, n): 1: for every ID P ∈ I do: (sdk P , vek P ) ← KeyGen(1 n , ID P ).2: A gets as input 1 n , I, and the list of all public keys {vek P } for all ID P ∈ I; 3: A outputs two identities S, R ∈ I; 4: A receives the list of all secret keys {sdk P } for all ID P ∈ I \ {S, R}; 5: define channel E M →C : (1) prepare |φ + M M , store (M , M ) in a set M; (2) apply SigEnc S,R to M ; return result.

Insider security
In addition to picking a sender and receiver of his choice, the adversary is now allowed to access the private key of either of the two (but not both).Also as before, given the impossibility results for quantum signatures (Section 5), it makes sense to consider the case where S is the adversary, and ask if the secrecy of R can be preserved.Again, we ask for the strongest notion of secrecy.However, given the multi-user setting, we must now consider a multi-user version of QIND-CCA2, where the adversary gets to pick the target R to attack, and receives all other user's secret keys.We omit the details here, as the resulting definition follows a similar approach as in the outsider security case.
Definition 7.10.A multi-user QSC Π is insider-secure if the public-key quantum encryption scheme induced by making the sender key public (i.e., via Proposition 6.3) satisfies (the multi-user version of) QIND-CCA2.

Achieving many-time, multi-user security
The multi-user definitions can be fulfilled in a way analogous to the classical case.Here [5] describe a simple generic transformation from a two-user secure scheme to a multi-user secure scheme, which proceeds as follows.Whenever signcrypting any plaintext, we first attach to the plaintext the IDs of both the sender and the intended receiver.When applying verified decryption, we check whether the IDs attached to the plaintext are correct.If so, we output the plaintext, otherwise reject.Arguing multi-user security of this transformation then reduces in a straightforward way to twouser security, essentially as done in [5].We omit a full proof of security for this construction, and leave it for a future work.However, the details should be easy to infer from the previous discussion and follow the same general strategy.

Upgrading to Ciphertext Authentication
As discussed above, the security notions we have developed for signcryption provide for plaintext security.For instance, in the outsider security case, this means that the adversary cannot perform any attack which modifies the underlying plaintext.The advantage of this approach is that the security games and definitions are rather simple to state and describe, and intuitive.However, this leaves open the possibility of adversaries that modify ciphertexts without being noticed.As it turns out, we can address this case as well, roughly following the route followed by [3] in the private-key encryption setting.Here we only briefly describe the modifications, as they are essentially identical to those in [3].First, we observe that the characterization lemma (Lemma 5.7) shows that all quantum encryption schemes have a simple "attach auxiliary state, then apply keyed isometry V k " form.This form is also efficient in all schemes we are aware of (we state this formally as Condition 5.9), but may in principle be inefficient.
Next, with this characterization in hand, we can replace the "trap setting" step of each relevant security game (e.g., Step 1 in the Out-Ideal experiment) as follows.We still encrypt half of a maximally-entangled state φ + and store the input and half of φ + .In addition, we now also store the classical randomness used to sample the aforementioned auxiliary state (prior to applying V k .) We then correspondingly adjust the second "cheat detection" step of each relevant security game (e.g., Step 2 in the Out-Ideal experiment), as follows.Given a ciphertext, we first undo the isometry V † k .We then check if the auxiliary state agrees with the stored randomness.If it does, we additionally perform the entanglement check as before.If both checks say "yes," we supply the stored state.Otherwise we output ⊥.(In the insider-security case, it's slightly different: "yes" now means that the adversary is attempting to decrypt the challenge, so we simply terminate and output "cheat.")This transformation yields enhanced cheat-detection games for both outsider-security (analogous to QAE) and insider-security (analogous to QIND-CCA2.)Security is then still defined in terms of the advantage of adversaries at distinguishing the test game from the corresponding cheat-detection game for outsider security, and the winning advantage in the test game over the cheat-detection game for insider security, respectively.Provided that the relevant construction now uses QCA [3] instead of cDNS quantum authentication as a building block, the security proofs carry over essentially unchanged.
first checks which register M should be used together with the decrypted quantum plaintext to measure |φ + φ + | vs. 1 − |φ + φ + | by means of comparing k and the k s, wQAE-Ideal just tries them one by one.For the ones that do not fit, though, this measurement yields "not maximally entangled" with overwhelming probability, and the gentle measurement lemma implies that the decrypted plaintext is not disturbed.
A.2 Detailed Proof of Theorem 4.5 Let A = (A 1 , A 2 ) be an adversary playing QCCA2-Test.We will go through a game hopping, where the winning probability of the adversary always increases (or decreases at most negligibly), up to an experiment which is equivalent to QwCCA2-Fake.First of all, we restate the two experiments explicitly.
Experiment A.4.The QCCA2-Test(Π, A, n) experiment: We start now with the game-hopping.Game 0: this is just QCCA2-Test.Game 1: as Game 0, except that C will prepare two entangled registers |φ + M M ; then if b = 1 instead of encrypting the maximally mixed state τ M , he will discard M and return to A the encryption of M instead.Clearly the winning probability of A is unaffected by this, otherwise A could distinguish τ M from φ + M without access to φ + M .Game 2: as Game 1, but instead of oracle access to Dec dk , A 2 gets access to a modified oracle D dk which, on input a ciphertext register C, does the following: 1. applies Dec dk to C, places result in M ; 2. applies {Π + , 1 − Π + } to M M ; 3. if the outcome is 1 then: abort game and output win; else return M ; Notice that D dk is the same as D dk in QwCCA2-Fake, except it aborts with win instead of cheat whenever it detects a challenge plaintext replay.Clearly, the probability of A of winning this game does not decrease in respect to the previous game, hence so far we have: Game 3: as Game 2, but C "blinds" the classical part of the challenge ciphertext, replacing it with a different one, and D dk is modified in order to undo the blinding whenever queried on the fake ciphertext, making the substitution transparent to the adversary.The experiment looks as follows.
Experiment A.6.The Game 3(Π, A, n) experiment:  Notice that, since in the algorithm Dec of Π Hyb the first step is to measure the classical part of the register C, the new measurement introduced by D t dk does not disturb A's behavior.Moreover, the substitution of t with t is undetectable for A, otherwise we could build a reduction B against the IND-CCA2 security of Π PKE , in the following way: 2. During the challenge from A, B generates a fresh k and uses it as a challenge to C CCA2 , receiving back a ciphertext t; 3. Flip a coin b $ ← − {0, 1} to decide whether for the rest of the game B will try to simulate Game 2 (b = 0) or Game 3 (b = 1) for A. In the first case just return to A the correctly formed ciphertext register C, and simulate decryption queries on t-parts by defining their decryption as k.In the latter case instead, generate a fake encryption t , modify C accordingly before returning it to A, then simulate a "blinded" oracle D t dk by decrypting t -part queries as k.The reduction works because if b = 0, then we are simulating for A correctly either Game 2 or Game 3 (depending on b ).By assumption, in this case A should be able to guess correctly b with non-negligible advantage, otherwise his guess will be unrelated to b.Therefore, we have: Also notice that, at this point, A has no information whatsoever about the key k used to encrypt the quantum part of the challenge, because the encryption of k was blinded with another, unrelated one by the modified oracle D t dk .This observation will be important in the next game hop, because the definition of DNS security (and of the computational variant cDNS) argues about adversaries averaged over the secret key used.
Game 4: as Game 3, but this time C always replaces the challenge plaintext register M with the entangled half φ + M , regardless of b.We show that this replacement cannot be efficiently detected.Clearly, if b = 1 nothing changes for A. If b = 0 instead, the quantum part of the challenge ciphertext received back by A is now an encryption (through Π SKQE ) of the register M for a secret key k unknown to A by the reasoning made in the last game.
Then, consider any query to D t dk performed by A 2 .Such query can be seen as a convex combination of: a query state which does not depend on the challenge (and hence does not change the win probability), and the output of an attack map acting on the challenge ciphertext and an internal adversarial state S. By the cDNS security of Π SKQE , such an attack map is (up to a negligible factor) a convex combination of two maps: the one which replaces the underlying plaintext with |⊥ ⊥| (and hence independent from the challenge plaintext, so again does not change the win probability), and the one which acts as the identity, and leaves the underlying plaintext untouched.However, this latter map would produce a query which is detected as φ Notice that this final game is equivalent to QwCCA2-Fake.In fact, by now A's output is completely unrelated to b. Combining all inequalities, we have shown: Pr [A cheats in QwCCA2-Fake] ≥ Pr [A wins QCCA2-Test] − negl, which proves finally that Π Hyb is QIND-wCCA2 secure.

A.3 Strong (cQCA-Based) CCA2 Security for Public-Key Quantum Encryption
We show here the "correct" (strongest) formulation of quantum CCA2 security for the public-key setting by using the framework from Section 3.1 and extending in a natural way the work done in [3].We recall that, in particular, this formulation has the advantage that it closely matches "in spirit" the classical version of IND-CCA2 by disallowing replay of the challenge ciphertext in a strict quantum sense, where detection of a replay is done by exploiting QCA-based quantum ciphertext integrity.The drawback is that the use of such formulation in actual security proofs relies on a characterization of quantum encryption schemes given by a decomposition of the encryption/decryption procedure in terms of operators V k and Π k,r , where k (which in our case can be thought w.l.o.g. as the pair (dk, ek)) is the underlying QCA authentication key (see [3] for details).One can prove that such decomposition always exists, but the necessary characterization here requires either that this decomposition is efficient (Condition 5.9), or that one accepts non-efficient challengers in the security game.There is currently no known counterexample of a quantum encryption scheme (either symmetric-or public-key) not respecting Condition 5.9.Regardless, as shown in [3], this approach has many advantages, even if strictly speaking it can only be used on quantum encryption schemes which fulfill the characterization.
We start by recalling again the unrestricted quantum CCA2 experiment.
Experiment A.7.The QCCA2-Test(Π, A, n) experiment: Notice that in this game there are no restrictions on the use of Dec dk by A 2 .In particular, A 2 is free to decrypt the challenge.In the second game, the challenge plaintext is replaced by half of a maximally entangled state, and A only gains an advantage over guessing if he cheats, i.e., if he tries to decrypt the challenge.
Experiment A.8.The QCCA2-Fake(Π, A, n) experiment:  The omission of absolute values in the above is intentional.Indeed, an adversary can artificially inflate his cheating probability by querying the decryption oracle on the challenge and then ignoring the result.What he should not be able to do (against a secure scheme) is make his win probability larger than his cheating probability.
Separation and implication results follow the same strategy of [3], which we refer the reader to.We only recall here the following.Proposition A.10.If Π is a QIND-CCA2 secure PKQE scheme, then in particular it is also QIND-CCA1 and QIND-CPA.
Moreover, following the same strategy as in Theorem 4.5, we have the following.
Proposition A.11. Select the following: A.4 Detailed Proof of Theorem 5.11 We want to show that if Π = (KeyGen, Sign, Ver) is a correct QS, and M is a non-trivial two-outcome measurement, then Π is at most (1 − negl(n))-one-time {M }-secure.We use a similar idea as in the proof of Theorem 5.10.Just assuming correctness we can construct an attack that begins by applying a Stinespring dilation of the verification algorithm.Subsequently we apply a unitary that changes |ψ 0 to |ψ 1 , where the |ψ i are efficiently preparable states such that measuring M on |ψ i returns result i with certainty.Finally, the attack undoes the Stinespring dilation of the verification.The result is a valid signed state for |ψ 1 when the attack is applied to a signed state for |ψ 0 .The details are as follows.First note that Lemma 5.7 does not use the fact that the public key is public, or that the secret key is secret, it only uses the correctness of the scheme.Therefore we can apply it to the present QS as well to conclude that the quantum channel implemented by the verification algorithm fulfills the equation where k = vk, sk. 6In particular, Equation 26 implies that there exists a Stinespring dilation unitary W Ver vk of Ver vk such that Let Ŵ Ver vk CE1→M E2 be an efficiently implementable Stinespring dilation unitary of Ver vk .We consider the following attack.Let |ψ i M , i = 0, 1 be efficiently preparable pure states such that M returns i with certainty when applied to |ψ i ψ i | M , and let U i be preparation unitaries for |ψ i M , i.e.
Here we have used Equation 28 in the second line, and Equation 25 in the third and last lines.In particular, the calculation above implies that P A (P Sign sk (|ψ 0 ψ 0 | M ) P ) P ≈ A (Sign sk (|ψ 0 ψ 0 | M )) .
We have thus transformed a signature of |ψ 0 into a signature of |ψ 1 and thus changed the outcome of M from 0 to 1, up to negligible difference.

1 :Experiment 3 . 2 .
C runs (dk, ek) ← KeyGen(1 n ) and flips a coin b $ ← − {0, 1}; 2: A 1 receives ek and oracle access to Dec dk ; 3: A 1 prepares a side register S, and sends to C a challenge register M ; 4: C puts into C either Enc ek (M ) (if b = 0) or Enc ek (τ M ) (if b = 1); 5: A 2 receives registers C and S and oracle access to Dec dk ; 6: A 2 outputs a bit b .If b = b, output win; otherwise output rej.The QwCCA2-Fake(Π, A, n) experiment: 1: C runs (dk, ek) ← KeyGen(1 n ); 2: A 1 receives ek and oracle access to Dec dk ; 3: A 1 prepares a side register S, and sends to C a challenge register M ; 4: C discards M , prepares |φ + M M , and stores M ; then C encrypts M (using ek) and puts the resulting ciphertext into C ; 5: A 2 receives registers C and S and oracle access to D dk , where D dk is defined as follows.On input a register C:

Theorem 4 . 3 .
Let Π be a classical AE scheme, and let Σ be a cDNS-(resp., cQCA-) secure symmetric-key quantum encryption scheme.Then Π Hyb SKQE [Π, Σ] is a wQAE-(resp., QAE-) secure symmetric-key quantum encryption scheme.Proof sketch.(For details, see Section A.1).We only prove this theorem for the weak, plaintextbased version wQAE starting from a cDNS SKQE scheme and a AE SKE scheme.The general result follows from the discussion in Section 7.3.IN this proof, indistinguishable means computationally indistinguishable.

m( 1
/d M )); (iii.) if t = b set b out = 0; otherwise set b out $ ← − {0, 1}, and (iv.)output b out .Now consider A in the IND-CPA game, and let b be the challenge bit.If b = 0, then the execution of A is exactly simulating the QIND-CPA game, and so Pr[b out = b] ≥ 1/2 + δ.If b = 1, then the encryption of is done with an independent key; by QIND, Pr[t = b ] = 1/2 which implies that Pr[b out = b] = 1/2.We thus have that, overall, Pr[b out

1 :( 1 )
C runs (dk, ek) ← KeyGen(1 n ) and flips a coin b $ ← − {0, 1}; 2: A 1 receives ek and oracle access to Dec dk ; 3: A 1 prepares a side register S, and sends to C a challenge register M ; 4: C puts into C either Enc ek (M ) (if b = 0) or Enc ek (τ M ) (if b = 1); 5: A 2 receives registers C and S and oracle access to Dec dk ; 6: A 2 outputs a bit b .If b = b, output win; otherwise output rej.Experiment A.5.The QwCCA2-Fake(Π, A, n) experiment: 1: C runs (dk, ek) ← KeyGen(1 n ); 2: A 1 receives ek and oracle access to Dec dk ; 3: A 1 prepares a side register S, and sends to C a challenge register M ; 4: C discards M , prepares |φ + M M , and stores M ; then C encrypts M (using ek) and puts the resulting ciphertext into C ; 5: A 2 receives registers C and S and oracle access to D dk , where D dk is defined as follows.On input a register C: C applies Dec dk to C, places result in M ; (2) C applies {Π + , 1 − Π + } to M M ; (3) if the outcome is 1 then: abort and output cheat; else return M ; 6: C draws a bit b at random.If b = 1, output cheat; if b = 0 output rej.

9: A 2
outputs a bit b .If b = b, output win; otherwise output fail.

1 .
B plays the IND-CCA2 game against C CCA2 (for a secret bit b), simulating C for A in the obvious way (forwarding ek, simulating Dec by decrypting classical keys with his own Dec PKE dk oracle and then doing the SKQE decryption himself).

4 .
Finally, look at A's output.If A guesses b correctly, then B guesses b = 0, otherwise B guesses b at random.

1 :
C runs (dk, ek) ← KeyGen(1 n ) and flips a coin b $ ← − {0, 1}; 2: A 1 receives ek and access to oracle Dec dk ; 3: A 1 prepares a side (state) register S, and sends C a challenge register M ; 4: C puts into C either Enc ek (M ) (if b = 0) or Enc ek (τ M ) (if b = 1); 5: A 2 receives registers C and S and oracle access to Dec dk ; 6: A 2 outputs a bit b .If b = b, output win; otherwise output fail.

1 :
C runs (dk, ek) ← KeyGen(1 n ), prepares maximally entangled registers |φ + M M , and flips a bit b $ ← − {0, 1}; 2: A 1 receives ek and oracle access to Dec dk ; 3: A 1 prepares a side register S, and sends to C a challenge register M ; 4: if b = 1, then: C discards M and replaces it with M ; 5: C encrypts M (using ek), puts the resulting ciphertext into C, and records the classical part (PKE ciphertext) t of the resulting ciphertext; 6: C generates a fresh one-time key k ← KeyGen SKQE (1 n ); 7: C encrypts t ← Enc PKE ek (k ), records t , and replaces the classical t with t in the ciphertext register C; 8: A 2 receives registers C and S, and oracle access to D t dk defined as follows.On input a register C: (1) measure the classical-subsystem part of C: if the outcome is t then: replace the classicalsubsystem part of C with |t t|; (2) applies Dec dk to C, places result in M ; (3) applies {Π + , 1 − Π + } to M M ;(4) if the outcome is 1 then: abort game and output win; else return M ;

+
M by D t dk , and would thus cause the adversary to win.Hence we have: Pr [A wins Game 6] ≥ Pr [A wins Game 5] − negl .Game 5: as Game 4, but we remove the "t blinding" feature from the simulated oracle D t dk .That is, we replace D t dk back with D dk .This replacement is undetectable for the same reasoning as in Game 3. Game 6: this is like Game 5, except that: 1. D dk is replaced by D dk (i.e., aborts with cheat instead of win); 2. C does not flip the random bit b; and 3. on A's output, regardless of outcome, we declare A to cheat or to rej with 50/50 probability.

1 :
C runs k ← KeyGen(1 n ); 2: A 1 receives n and access to oracles Enc k and Dec k ; 3: A 1 prepares a side register S, and sends C a challenge register M ; 4: C discards M , prepares |φ + M M and fresh randomness r, and stores (M , r); then C encrypts the M register and sends the resulting ciphertext C to A 2 ; 5: A 2 receives registers C and S and oracles Enc k and D k , where D k is defined as follows.On input a register C:(1) C applies V † k to C, places results in M T ; (2) C applies {P σ k T , 1 − P σ k T } to T ; (3) if outcome is 0 then: (4)C applies {Π k,r , 1 − Π k,r } to T ; (12)y the default map for invalid ciphertexts, i.e., Dk to M .(11)endif(12)returnM ;