Impossibility of Post-Quantum Shielding Black-Box Constructions of CCA from CPA

. Proving whether it is possible to build IND-CCA public-key encryption (PKE) from IND-CPA PKE in a black-box manner is a major open problem in theoretical cryptography. In a significant breakthrough, Gertner, Malkin and Myers showed in 2007 that shielding black-box reductions from IND-CCA to IND-CPA do not exist in the standard model. Shielding means that the decryption algorithm of the IND-CCA scheme does not call the encryption algorithm of the underlying IND-CPA scheme. In other words, it implies that every tentative construction of IND-CCA from IND-CPA must have a re-encryption step when decrypting. This result was only proven with respect to classical algorithms. In this work we show that it stands in a post-quantum setting. That is, we prove that there is no post-quantum shielding black-box construction of IND-CCA PKE from IND-CPA PKE. In the type of reductions we consider, i.e. post-quantum ones, the constructions are still classical in the sense that the schemes must be computable on classical computers, but the adversaries and the reduction algorithm can be quantum. This suggests that considering quantum notions, which are stronger than their classical counterparts, and allowing for quantum reductions does not make building IND-CCA public-key encryption easier.


Introduction
In these last few years, as promising developments have been made in the field of quantum computation, post-quantum (PQ) cryptography has been the subject of intense research.In particular, the National Institute of Standards and Technology (NIST) in the US launched a standardization process, and great efforts have been made to standardize one or several PQ signature/encryption schemes and key-encapsulation mechanisms (KEMs).In addition, many works focused on transposing classical security notions and models to the quantum setting.Among these, we can find the quantum equivalent of the random oracle model (ROM) called quantum random oracle model (QROM) [BDF + 11], or different security definitions against quantum adversaries for public-key encryption (PKE), e.g.Boneh et al. [BZ13].For instance, post-quantum indistinguishability notions like IND-CPA or IND-CCA can be defined exactly as their classical counterpart except the adversaries are assumed to be quantum.As quantum computers are strictly more powerful, it also implies that post-quantum indistinguishability is stronger than classical indistinguishability (in the sense that the former implies the latter).
In turn, this means that known relations between classical cryptographic notions do not necessarily hold in the (post-)quantum setting.In addition, such relations are usually defined in term of reductions, which must be redefined to capture the quantum capabilities of algorithms.Therefore, known implications and separations in the classical world need to be re-proven in the quantum one.In this work, we focus on the following major open problem: Is it possible to construct an IND-CCA PKE from an IND-CPA PKE, in a black-box manner?
In the random oracle model, the answer to this question is known to be positive thanks to constructions like the Fujisaki-Okamoto transform [FO99,FO13].In the so-called standard model (as opposed to the ROM), the question is still open.In the classical setting, Gertner et al. [GMM07] proved a partial negative answer to the problem.They showed that no shielding black-box reduction from IND-CCA (even IND-CCA1) to IND-CPA exists.A shielding reduction means that the decryption algorithm of the IND-CCA PKE cannot call the encryption function of the underlying IND-CPA PKE.

Our contributions
The motivation behind this work is that Gertner et al.'s result does not deal with quantum algorithms.Our main contribution is to prove that no post-quantum shielding reduction from IND-CCA PKE to IND-CPA PKE exists1 .Here, unlike in Gertner et al.'s, IND-CCA and IND-CPA are defined relative to quantum adversaries.Moreover, the reduction algorithm is assumed to be quantum as well.However, we still consider classical schemes, i.e. both the IND-CCA and IND-CPA PKEs are assumed to be computable classically.This is why we call this type of reduction post-quantum.
From a high-level perspective, the proof uses similar techniques as the classical one.That is, we use the well-known two oracles technique by Hsiao et al. [HR04], which is itself a variant of the relativizing method introduced by Impagliazzo and Rudich [IR89].In short, we propose an oracle O = (O, R) relative to which IND-CPA PKEs exist but IND-CCA schemes Π O (i.e.Π can query O but not R) do not.One of the main technical difficulties in the proof arises from the fact that the IND-CPA adversaries are quantum, and therefore have quantum access to the oracle.Therefore, we need to show that an adversary that can make quantum queries to O cannot break the IND-CPA scheme.Our proof relies on reductions from several hard (quantum) problems and thus minimal quantum knowledge is sufficient to verify it.
An obvious limitation, as in the original proof, is that we rule out only shielding reductions.However, if non-shielding constructions existed, they would imply a reencryption step during decryption, as in the Fujisaki-Okamoto (FO) transform, which makes an IND-CCA PKE out of a IND-CPA one in the (quantum) random oracle model.We note that while our impossibility result is proven in the standard model, it should still hold in the Random Oracle Model due to the structure of the oracle O we use in the proof (i.e.O is with high probability made of random oracles).Thus, our result rules out more efficient transforms than the FO one.

Related work
Since the seminal paper by Impagliazzo et al. [IR89], the topic of black-box separation has been extensively studied (e.g.[AS16,HR04,Sim98]).In particular, as mentioned several times, the present work is a generalization of a result by Gertner et al. [GMM07].More recently, Hosoyamada et al. [HY20] defined the notion of quantum black-box reduction.In addition, they showed that there is no quantum black-box reduction from collision-resistant hash functions to one-way permutations [HY20].Following this work, Cao et al. [CX21] proved that one-way permutations cannot be obtained from different flavours of one-way functions in a quantum black-box way.
Different notions of black-box reductions were first formalised by Reingold et al. [RTV04].These were then extended by Baecher et al. [BBF13].

Technical overview
We use the two-oracle technique by Hsiao et al. [HR04] to rule out post-quantum reductions from (post-quantum) IND-CCA PKE to IND-CPA PKE.That is, we provide an oracle O that helps implement a IND-CPA PKE, and an oracle R that helps break any construction of IND-CCA PKE.More precisely, the oracle O will contain 3 sub-oracles (g, e, d), where g is an ideal key-generation functions, e an ideal public-key encryption function, and d is the corresponding decryption function.Then, (g, e, d) will correspond to the IND-CPA PKE scheme.Note that without an additional breaking oracle R, the PKE would be IND-CCA secure against classical or quantum adversaries.Now, R is composed of additional sub-oracles, which are approximately defined as follows.
• w, which takes as input a public key pk and encrypts each bit of the corresponding sk using e.That is, w(pk) → (e(pk, sk i )) i∈ [n] , where sk is s.t.g(sk) = pk.
• u, which takes as input a public key pk and a ciphertext c, and outputs 1 iff both the public key and the ciphertext are valid (i.e. the public key has a corresponding secret key and the ciphertext has a corresponding pre-image under the given public key).
We note that the set of oracles (g, e, d, w, u) is the same as the one used in Gertner et al.'s proof [GMM07].
Then, in order to prove the separation, we need to show two results: 1. (g, e, d) is an IND-CPA PKE even if the adversary has access to w and u.In the classical setting, this is quite straightforward to prove, as was done by Gertner et al. [GMM07].In the quantum setting, this is much more tricky as the adversary can now query w in superposition and the demonstration of this result turns out to be the technical contribution of the paper.Our proof involves two reductions to quantum problems.We first introduce the IMG problem, where (informally) a quantum adversary must distinguish between two sets of oracles (e 1 , e 2 , w 1 ) and (e 1 , e 2 , w 2 ), where e 1 , e 2 are random injective functions and w 1 (resp.w 2 ) is a random function that has the same image as e 1 (resp.e 2 ).We then show that the IND-CPA security of (g, e, d) reduces to the IMG problem.Intuitively, in the reduction, the encryption of a 1 (resp.0) will be simulated by a call to e 1 (resp.e 2 ) and w b will simulate the encryption of a bit of sk.
Finally, we prove that the IMG problem is hard for any quantum adversary by reducing another provably hard problem (namely the set equality problem SETEQ [Zha15]) to it.In SETEQ, the adversary is given two random injective functions f and g s.t.either f, g have the same image or have completely distinct images, and must distinguish between both cases.
We believe this proof might be of independent interest as it shows security of (ideal) encryption even in the presence of ciphertexts that are highly correlated with the secret-key.In addition, it requires only minimal quantum knowledge to verify.
2. Any shielding construction of a PKE from O is insecure against an IND-CCA adversary having access to R. For this, we can simply reuse the proof from Gertner et al. [GMM07] as the classical adversary they build can obviously be implemented quantumly.
We conclude the proof by combining these results and applying usual separation arguments.

Outline
In Section 2, we recall security definitions and notions of quantum computing and we define post-quantum reductions.We define the oracles O and R in Section 3.Then, in Section 4, we introduce the IMG problem and prove its quantum hardness by reducing the SETEQ problem (proven to be hard by Zhandry [Zha15]) to it.We also recall a lemma by Cao et al. [CX21] that states that inverting random functions is hard for quantum algorithms, even given access to the partial inverse of the function.

PKE and security definitions
A Public-Key Encryption (PKE) scheme is defined as follows.
Definition 1 (Public-Key Encryption).Let ℓ 1 , ℓ 2 , ℓ 3 and ℓ 4 be polynomial functions that describes the length of the inputs and outputs.A Public-Key Encryption scheme is made of three algorithms (G, E, D): The key generation algorithm takes a string s ∈ {0, 1} n , where n is the security parameter, and outputs a pair of secret and public key.We let sk ∈ {0, 1} ℓ1(n) and pk ∈ {0, 1} ℓ2 (n) .
The encryption algorithm takes as inputs the public key pk and a plaintext m ∈ {0, 1} ℓ4(n) and it outputs a ciphertext c ∈ {0, 1} ℓ3(n) .
Both the generation and encryption algorithms are probabilistic, while the decryption function is deterministic.The different length functions ℓ i (•) depend on the security parameter n, which we omit from now on for the sake of simplicity.
In addition, a PKE must be correct.That is, for all m ∈ {0, 1} ℓ4 and for all (sk, pk) ←$ G(s) for any s ∈ {0,

Quantum algorithms
Following similar works (e.g.[HY20]), we consider the quantum circuits model of computation, where a quantum algorithm is a family of quantum circuits.In addition, as our quantum adversaries (algorithms) have access to oracles, we must define oracle-aided quantum algorithms.We use the definition of Hosoyamada et al. [HY20] modified such that we work with uniform quantum circuits.We recall that a family of uniform quantum circuits is a family of quantum circuits that can be generated by a (classical) deterministic Turing machine (see Nishimura et al. [NO02] for more details).First, similarly to previous work [HY20], we make the following assumption on the quantum oracles.

Remark 1.
The oracles (classical or quantum) considered in this paper are stateless.In the quantum setting, that means the oracle does not keep a secret register that evolves with queries.Therefore, we assume that having quantum access to an oracle means having an oracle access to the corresponding unitary.The same assumption stays valid when an algorithm has oracle access to another quantum algorithm.

Definition 4 (Oracle-aided quantum algorithms). A quantum oracle is a family of quantum gates
be a set of t quantum oracles.Then, an oracle-aided quantum algorithm A is a family of uniform quantum circuits {A n } n∈N s.t. on a (classical) input x ∈ {0, 1} n , A runs A O1,n,...,Ot,n n on the quantum state |x, 0, 0⟩, measures the final state and returns the result of the output register.In other words, A O1,n,...,Ot,n n can be defined as the unitary operator where U i,j,n , U 0,n are some unitary operators and q is the number of queries made by A n to the oracles.If an oracle O is randomized, it is sampled from a given distribution before A runs A On n .
Now we can define the notion of query magnitude.Informally, this is the quantum equivalent to the probability that an adversary queries a certain value to an oracle.
Definition 5 (Query magnitude [HY20]).Let Γ = (O 1 , . . ., O t ) be a set of fixed (i.e.not randomized) quantum oracles.In addition, let |ϕ i j ⟩ be the state of A Γ (running on some fixed input x) before the j-th query to an oracle O i .We can assume w.l.o.g. that the oracle O i acts on the first inp i + out i qubits of |ϕ i j ⟩ (i.e.inp i qubits of input and out i qubits of output).Then there exist α z ∈ C and a state |ψ z ⟩ s.t.
The query magnitude of z before the j-th query of Note that if one measures the first inp i qubits of |ϕ i j ⟩, z will be the result with probability The total query magnitude of z is simply the sum of the query magnitude over all queries 1 ≤ j ≤ q made by the adversary to O i : Definition 6 (Quantum-accessible oracles).Let O be any classical oracle.The quantumaccessible oracle O induced by O is a quantum oracle defined as the unitary operator O : |x, y⟩ → |x, y +O(x)⟩ for any classical inputs x and y.For the sake of simplicity, when it is clear from the context, we denote by O both a classical oracle and its quantum-accessible oracle counterpart.
Now we can state the following lemma, which will be useful in our proof.Informally, this lemma says that if a quantum algorithm can distinguish an oracle O from the same oracle where all values O(z, •) for z have been changed, then one can extract z with good probability.Lemma 1.Let n, t ∈ Z be some integers and Ψ be some distribution that outputs a tuple Then, the distribution Ψ ′ induced by Ψ and D x d ,z d ,Γ d is defined by the sampling algorithm given in Figure 3: We consider the quantum algorithm B presented in Figure 2.Then, for any oracle-aided quantum algorithm A limited to q quantum queries to Γ (or Γ ′ ) and any output y where (x, z, Γ, Γ ′ ) ←$ Ψ ′ and the probabilities are taken over the internal randomness of the adversaries, the randomness of measurements, and the sampling from Ψ ′ .
Proof.The proof is an application of the Generalized Swapping Lemma [HY20] and can be found in Appendix A.
One can observe that the above lemma is a generalised version of the well-known One-Way-to-Hiding (OW2H) lemma [Unr15].

Post-Quantum reductions
We first define a classical primitive as Baecher et al. [BBF13].
Definition 7 (Algorithm computing a random variable).We say an algorithm A computes a random variable A if A produces an output with the same distribution as A. In the following, we often write A to denote both a random variable and the algorithm that computes it.Definition 8 (Classical Primitive).A (classical) primitive P is a tuple (F P , R P ), where F P is a set of random variables and R P is a relation between two random variables.
A classical algorithm (i.e.Turing machine) implements P, or is an implementation of P, if it computes f for some f ∈ F P .
A classical/quantum adversary "breaks f " if it computes A s.t.(f, A) ∈ R P .Finally, let f ∈ F P be efficiently computable by a classical algorithm, then if there is no efficient classical (resp.quantum) algorithm A s.t.(f, A) ∈ R P , we say f is secure (resp.post-quantum secure).
Remark.In this work, we are interested by classically computable primitives (PKEs) that might resist quantum adversaries.Therefore, we do not consider quantum implementations but only quantum adversaries.That is, any implementation can be computed by a classical algorithm but the set of adversaries is the set of efficient quantum algorithms.
Finally, we define the notion of post-quantum black-box reduction.
Definition 9 (Post-Quantum black-box reduction).Let P and Q be classical primitives.There exists a post-quantum black-box reduction from Q to P if there exist an efficient classical algorithm G and an efficient quantum algorithm S s.t.

For every (classically computable)
2. For every quantum adversary A and (implementation of The second condition can be rewritten as where EFF c and EFF q stand for efficient classical and efficient quantum, respectively. In the post-quantum black-box reduction defined above, we start with a classical primitive P meant to be post-quantum secure.Then, for a black-box reduction to exist, there must be a classical algorithm that builds a primitive Q using P.In addition, there must be an efficient quantum reduction algorithm S, which, given quantum black-box access to any (even non efficient) adversary that breaks Q, builds an adversary that breaks P.
Ruling out post-quantum reductions.We show in the following lemma that a two oracles argument as described by Hsiao et al. [HR04] is sufficient to rule out post-quantum reductions.The proof is basically the same as in the classical setting.
Lemma 2. Let P and Q be classical primitives.Then, there is no post-quantum reduction from Q to P if there exist oracles (O, R) s.t.
1.There exist efficient classical algorithms f s.t.f O ∈ F P .

For all efficient classical algorithms G:
• there is an efficient quantum adversary A s.t.
For the sake of contradiction, we assume a pair of oracles (O, R) fulfilling the conditions in Lemma 2 exists and a post-quantum reduction from Q to P exists as well.Let f be the algorithm s.t.f ∈ F P as specified in condition (1).By condition (2), we have that for all G there is an efficient quantum adversary A s By the existence of the post-quantum reduction, it means that there exists an efficient quantum reduction S s.t.(f O , S A ′ ,f ) ∈ R P with A ′ := A O,R .Now, as f, A are efficient classical and quantum algorithms, one can embed these in S. Hence, there exists an efficient S s.t.(f O , S O,R ) ∈ R P .This contradicts the second part of condition (2), which completes the proof.
Informally, the two oracles technique works as follows.One builds an oracle O that trivially implements the primitive P (i.e. the primitive exists relative to O).Then, we build another oracle R and we show that the primitive is secure against even unbounded quantum adversaries (with bounded number of quantum queries to (O, R)).In particular, this implies that all the security of the primitive must come from O. In a second step, we show that there exists an inefficient adversary A (with bounded number of queries to (O, R)) that breaks any implementation of Q relative to O.Then, in a final step, it is argued that A can be made efficient.In the classical setting, this is done by assuming P = NP or by embedding a PSPACE oracle in R. Looking ahead, this will be sufficient in our case as A will be classical in our proof.Lemma 2 then states that this technique is sufficient to rule out post-quantum black-box reductions.

The Oracle O
We recall that we want to rule out reductions from IND-CCA to IND-CPA using Lemma 2. That is, we wish to find an oracle O = (O, R) s.t. an IND-CPA PKE exists relative to this oracle, but IND-CCA PKEs do not.We consider here PKEs that encrypt 1 bit, as they are known to imply PKEs for longer messages [MS09].We use the same oracle as the one defined by Gertner et al. [GMM07].We now formalize how an oracle O = (g, e, d, u, w) ←$ Ψ is sampled.For each n ∈ N, each sub-oracle is generated as follows.
• g: {0, 1} n → {0, 1} 3n is a random length-tripling one-to-one function.This function will be used as a key-generation function that outputs a public key given a secret key.
• w: {0, 1} 3n × {0, 1} n → {0, 1} 3n×n ∪ {⊥} is defined as follows.The function takes a public key pk and an index i as inputs, and outputs ⊥ if there is no unique sk ′ s.t.g(sk ′ ) = pk.Otherwise, w(pk, i) returns a vector of n encryptions of the bits of sk ′ (e(pk, sk ′ 1 , r 1,i,pk ), . . ., e(pk, sk ′ n , r n,i,pk )), where the r k,i,pk are sampled at random when (pk, i) is queried for the first time.This function returns the bit-by-bit encryption of the secret-key corresponding to the input public key, with different random coins indexed by i.

Hard Problems
We introduce in this section several quantum hard problems that will be used to prove our main technical result.First, we recall the definition of the (average) set quality (SETEQ) problem.
Definition 11 (SETEQ).Let Inj n,m be the set of one-to-one functions from {0, 1} n to {0, 1} m .We define F b n as the following distribution.
The SETEQ problem is hard if for any (possibly unbounded) quantum adversary A that makes poly(n) quantum queries to f, g where the probabilities are taken over the quantum randomness and the sampling of f, g.
It turns out the SETEQ problem is hard, according to the following theorem by Zhandry [Zha15].
Theorem 1 (Hardness of SETEQ [Zha15]).Let F b n be as defined above.Then, for any quantum adversary we have where q is the number of queries A makes to f and g.
We now introduce an intermediary problem that we call the IMG problem.
Definition 12 (IMG problem).Let e 0 : {0, 1} n → {0, 1} 3n and e 1 : {0, 1} n → {0, 1} 3n be random one-to-one functions s.t.Im(e 0 ) ∩ Im(e 1 ) = ∅.I.e. e 0 and e 1 are sampled uniformly at random from the set of pairs of injective functions with disjoint images.Let f : {0, 1} n → {0, 1} n be a random function.We define w b (•) := e b (f (•)).In addition, we define an helper oracle u(c) that returns ⊤ if c ∈ Im(e 0 ) ∪ Im(e 1 ) and ⊥ otherwise.The IMG problem is considered hard if for every (possibly unbounded) quantum adversary A that makes poly(n) quantum queries to e 0 , e 1 , w b , u, we have where the probabilities are taken over the quantum randomness and the sampling of e 0 , e 1 , f .Concretely, this problem is hard if with a polynomial number of quantum queries one cannot say whether w b has the same image as e 0 or e 1 .Note that we could also define w b as a random function with domain {0, 1} n and codomain Im(e b ).
Jumping ahead, we will use the above problem with e b defined as e(pk * , b, •), u as u and w b as one part of the w oracle.
Using this result, we prove that the IMG problem is hard by showing that SETEQ reduces to it.
Lemma 3 (SETEQ reduces to IMG).Let F b n be as defined in the SETEQ problem and e 0 , e 1 , w b , u as defined in the IMG problem.Then, for any IMG quantum adversary one can build a SETEQ adversary such that where the number of queries made by B is roughly twice the number made by A.
Proof.We first state the idea of the proof.In the SETEQ problem, when b = 1 (thus Im(f ) ∩ Im(g) = ∅) one can set e 0 = f and e 1 = g and w b ′ = e b ′ • r with b ′ picked at random and r a random function.Minus some technical details, this perfectly simulates an instance of the IMG problem and the probability that the IMG adversary A outputs b ′ is the advantage of A (plus or minus 1 2 ) in the IMG problem.Then, if b = 0, images of e 0 and e 1 will be the same and it is impossible to distinguish w 0 from w 1 .Thus, in this case A outputs 0 or 1 with probability 1 2 .Hence, if A makes the correct guess with probability p in a correct instance of the IMG problem, the SETEQ reduction B has an advantage of p − 1 2 , which is equal to A's advantage.More formally, the reduction B f,g sets A's oracles as follows.First, B samples a random one-to-one function h ←$ Inj n+1,3n , a random function r : {0, 1} n → {0, 1} n and a random bit b ′ .Then, each oracle is set as be done because B is an unbounded adversary which sampled h.
Each oracle can be implemented in a quantum circuit that makes 2 calls to the quantum oracles f or g.For instance, the unitary U e0 : |x, y, z⟩ → |x, y+e 0 (x), z⟩ can be implemented as The adversary B f,g runs b ′′ ← A e0,e1,w b ′ ,u and returns 1 b ′ =b ′′ .We distinguish two cases: • b = 1 (Im(f ) ∩ Im(g) = ∅): By definition g and f are one-to-one functions from {0, 1} n to {0, 1} n+1 and h is a random one-to-one function from {0, 1} n+1 to {0, 1} 3n .Moreover, as the images of g and f are distinct, e 0 and e 1 are random one-to-one functions from {0, 1} n to {0, 1} 3n s.t.Im(e 0 ) ∩ Im(e 1 ) = ∅.In addition, w b ′ is defined as e b ′ • r and u(c) returns whether c ∈ Im(e 0 ) ∪ Im(e 1 ).Therefore, where (e 0 , e 1 , w b ′ , u) follow the same distribution as in the IMG problem.for both b ′ = 0 or b ′ = 1, as r is a random function.Hence, even with an unbounded number of queries to e 0 , e 1 , w b ′ , Pr[A e0,e1,w1,u ⇒ 1] = Pr[A e0,e1,w0,u ⇒ 1].Therefore, Finally, we get that for any IMG adversary A that makes q quantum queries, there exists an (unbounded) SETEQ adversary B s.t.
where B makes at most 2q queries, which concludes the proof.
Corollary 1 (Hardness of IMG).The IMG is hard for quantum algorithms.More precisely, for any IMG quantum adversary, we have where q is the number of quantum queries made by A.
Finally, we define partial inverse functions and recall a Lemma by Cao et al. [CX21].
In other words, f −1 ̸ =x * inverts f except on y = f (x * ).Lemma 4 (Lemma 5 [CX21]).Let f ←$ Inj n,n+m be a random injective function, x * ←$ {0, 1} n , and f −1 ̸ =x * be the partial inverse function.Then, for any (possible unbounded) quantum adversary A making poly(n) quantum queries to f, f −1 ̸ =x * , we have where the probability is taken over the randomness of A, f and x * .I.e.inverting f (x * ) given f and the partial inverse function is hard.

Existence of IND-CPA PKE relative to O
We first define what a (1-bit) PKE relative to an oracle is.• G O : {0, 1} n → {0, 1} n ρ 0 × {0, 1} n ρ 1 .We consider G O (S) = (SK, P K) as a key generation function that takes a seed S and outputs a pair of secret/public keys (SK, P K).
We consider E O (P K, M, R) = C as an encryption function that takes as inputs a public key P K, a bit M and random coins R, and outputs a ciphertext C.
We consider D O (SK, C) = M ′ as a decryption function that takes as inputs a secret-key SK and a ciphertext C, and outputs a plaintext bit M ′ or the error symbol ⊥.
We also require perfect correctness, that is for any for (SK, P K) = G O (S).In addition, w.l.o.g.we assume there are constants s and q s.t. for any security parameter n, (G O , E O , D O ) make at most n q queries to O and each query is at most of size n s .In addition, the running time of (G O , E O , D O ) must be polynomial in n as well.
We now prove the main theorem, that is (g, e, d) is IND-CPA relative to the oracle O (see Definition 10).
Theorem 2. Let PKE q O = (g g , e, d) be a PKE relative to O, where g g (s) sets sk ← s and returns (sk, g(sk)).Then, for any (possibly unbounded) quantum adversary A we have where the number of quantum queries made by Proof.The idea of the proof is the following.We first modify the game such that the decryption oracle d does not reply when queried with sk * .We call this new game Γ 1 and we use Lemma 1 to argue that the advantage difference between both games is upper bounded by the probability that some adversary B inverts pk * having access to g, e, w, u and the modified decryption oracle.We then iteratively modify the oracle w into oracles w 1 , . . ., w n s.t. the first i ciphertexts output by w i (pk * , •) are encryptions of 0's (instead of the bits of sk * ).The advantage difference between these n games hops can be upper bounded by the probability of winning the IMG problem, which is negligible.Then, the advantage of B in the final game (i.e. with w n ) can be upper bounded by the advantage of another adversary inverting g having access to a partial invert oracle g −1 ̸ =sk * .The idea is that g −1 ̸ =sk * can be used to simulate w n (pk, •) as we can either invert pk ̸ = pk * and encrypt the result, or encrypt 0 bits if pk = pk * .
Next, we modify Γ 1 into another game Γ 2 such that the oracle e does not reply on queries of the form e(pk * , •, r * ), where r * are the coins used to compute the challenge ciphertext c * .We apply Lemma 1 again to deduce that the advantage difference between both games is roughly upper bounded by the advantage of some adversary B in finding r * given pk * and c * .Then, this advantage can be upper bounded by the probability an adversary inverts a function given access to its partial inverse.Intuitively, e is the function to invert and the modified d is the partial inverse as it does not reply on queries of the form d(sk * , •).Finally, in Γ 2 , the oracles give no information on c * as d cannot decrypt it and e(pk * , •, r * ) returns ⊥.That concludes the proof.
We proceed with a sequence of hybrid games Γ 0 -Γ 2 shown in Figure 4.  , e, d, w, u).In the IND-CPA game with security parameter n, we assume the adversary only queries oracle circuits o n .As the adversary's input is independent of any suboracle o i , i ̸ = n it does not change the where B runs A until some random quantum query q i , measures the input register and outputs the first n bits of the result.Now we prove the following lemma.
In other words, when pk * is queried, the encryption of the first bit of sk * is replaced by the encryption of a zero.All other values returned are the same as in the original w oracle.We now wish to upper bound where the equality follows from the fact that w is identically distributed to w 1 if sk * 1 = 0. We show that for any adversary B, one can construct a IMG adversary C s.t.Eq. 1 is upper bounded by the advantage of C. We show the reduction in Figure 5.
First, we see C simulates perfectly the oracles for queries independent of (sk * , pk * ).Indeed, C samples a valid function g and random injective functions e(g(sk), •, •) for each sk ̸ = sk * .Then, C can use its knowledge of these functions to reply to any query e ′ (pk, •, •), d ′ (sk, •), w ′ (pk, •) or u ′ (pk, •) with pk ̸ = pk * , sk ̸ = sk * as in the original game played by B.
Then, C sets the encryption oracle for pk * as where e 0 , e 1 are C's own oracles.As e 0 , e 1 are random one-to-one functions s.t.their image do not intersect, e ′ (pk * , •, •) is also a random one-to-one function {0, 1} n+1 → {0, 1} 3n .Therefore, e ′ simulates perfectly e.Then, d ′ simulates perfectly d ′ as ⊥ is returned if it is queried on (sk * , •).Similarly, u ′ perfectly simulates u by using C's own u oracle to reply to queries of the form u ′ (pk * , •).
where the last equality follows from Corollary 1. w j : We successively modify the oracle w 1 into an oracle w j , j ∈ [n] s.t. on a query (pk * , •), the i-th first components of the resulting ciphertexts are encryption of a 0 instead of the i-th bit of the challenge secret key.Formally, we have w j (pk, i) = w(pk, i), if pk ̸ = pk * (. . ., e 0 (r j,pk (i)), e sk * j+1 (r j+1,pk (i))), . ..), if pk = pk * .
w n : Now, w n (pk * , •) returns a vector of ciphertexts encrypting 0 which means we do not use sk * in w n anymore.In order to conclude the proof of the lemma, we wish to show that Pr[B g,e,d ′ ,w n ,u (g(sk * ), c * ) ⇒ sk * ] = negl(n) .
One can see that the oracles (g, e, d ′ , w n , u) never invert pk * or use the secret key sk * anymore.The only exception is the decryption oracle that returns ⊥ whenever sk * is equal to the queried sk.However, this condition can be checked by verifying whether g(sk) = pk * , as g is one-to-one.Hence, we are going to show that if B outputs sk * , one can build an adversary D that inverts g on a random image, having access to a partial inverse oracle.We show the adversary in Figure 6.As in Lemma 4, D g,g −1 ̸ =sk * receives g(sk * ), where g is a random injective function, sk * is sampled at random, and the goal is to recover sk * .Note that sk * and pk * = g(sk * ) are distributed as in B's game.Then, D generates a challenge ciphertext c * using pk * and runs B while simulating the oracles (g, e, d ′ , w n , u) as follows.
• g(sk): D uses its own g oracle to reply to B's queries to g.As they are similarly distributed and pk * = g(sk) * , the simulation is perfect.
• e ′ (pk, b, r): It simply returns the evaluation of e(pk, b, r), where e(pk, •, •) is a random one-to-one function sampled by D. This simulates perfectly e.
• d ′ (sk, c): It returns the decryption of c or ⊥ if sk = sk * , as in the oracle d ′ .Note that D uses its own oracle g to check whether g(sk) = pk * .
• w ′ (pk, i): It simulates w n perfectly.Indeed, if pk = pk * it returns a vector of ciphertexts encrypting 0. Otherwise, D uses its own g −1 ̸ =sk * to invert pk and encrypts the bits of the corresponding secret key.
• u(pk, c): It simulates perfectly u as D uses its knowledge of e(pk, •, •) to check whether c is a valid image.
Note that while the simulated oracles are described in a classical way, D implements them as quantum accessible oracles.This can be done with a polynomial number of quantum queries to its own oracles, as described before.Finally, we get Pr[B g,e,d ′ ,w n ,u (g(sk * ), c * ) where the last equality follows from Lemma 4. Collecting the probabilities as in a standard hybrid argument holds the proof of Lemma 5.In addition, we modify w into a w ′ oracle s.t. it queries e ′ instead of e.Note that as w (resp.w ′ ) encrypts n bits in parallel, one quantum query to w (resp.w ′ ) can be computed with n quantum queries to e (resp.e ′ ).Thus, in total, there are at most q + qn queries made to e or e ′ , where q is the number of queries made by A. Then, Γ 2 is the same as Γ 1 where (pk * , c * = e(pk * , b, r * )) is as in the IND-CPA game, and B runs A until some random quantum query q i to e (made by A or w), measures the input register and outputs the last n bits of the result.As before, we are going to upper bound the right-hand side of the equation by the probability a quantum adversary F inverts a random one-to-one length-tripling function with the help of a partial inverse oracle.This time, F will simulate queries of the form e(pk * , b, •) using the function e ∈ Inj n,3n it wants to invert.We show F in Figure 7.As in previous reductions, F samples its own functions g, r pk,i and e(pk, •, •) for pk ̸ = pk * .Using these, it can reply consistently to B's queries that do not involve sk * or pk * .In addition, F samples a random challenge bit b ′ that plays the role of the challenge bit of the IND-CPA game.Then, it sets where e is the function F wants to invert and e 1−b ′ ∈ Inj n,3n is sampled by F. Now, as both e, e 1−b ′ are injective functions in Inj n,3n , the probability that e ′ (pk Thus, assuming coll does not occur, e ′ (pk * , •, •) follows the same distribution as e.In addition, F can simulate perfectly d and w using its knowledge of sk * and its own oracles/functions.In particular, each quantum query w(pk * , •) can be simulated with at most n quantum queries to its oracle e.Finally, queries of the form u ′ (pk * , c) for some c ∈ {0, 1} 3n can be simulated perfectly, as: • if c ̸ = c * : F can query its oracle e −1 ̸ =r * to check whether c is a valid ciphertext of the form c = e ′ (pk * , b ′ , r), for some r.If that is not the case, F further checks whether c = e ′ (pk * , 1 − b ′ , r) for some r using its knowledge of e 1−b ′ .
• if the two previous conditions are not fulfilled, then c is not a valid ciphertext.
Hence, if coll does not occur, F simulates perfectly B's view and we get where the last equality follows from Lemma 4. Thus,
• M = M ′ : Either sk i = b or the ciphertext corresponding to the modified query (or the decryption of the ciphertext) does not impact the decryption result.However, by repeating many times the experiment with different (M, R), it is possible to distinguish both cases with high probability and one can recover the corresponding bit of the secret key sk.
Note that if no ciphertext of the form e(pk, •, •) ever impacts the decryption, the secret-key sk s.t.g(sk) = pk will not be recovered using this technique.However, it also means that recovering such secret-key is not important as it is not used in decryption.Hence, after this step, all useful sk's should be recovered with high probability.
3. In the last step, using the knowledge of the secret-keys recovered and of the queries made throughout the different experiments, the adversary builds a key SK ′ and simulates the decryption algorithm D O using its own version D Ô.Then, with high probability we will have D Ô(SK ′ , C * ) = M * , where C * is the challenge ciphertext and M * the challenge bit of the IND-CCA game (remember we consider 1-bit PKEs).This step is the only non-efficient one, as the adversary needs to sample an oracle Ô consistent with the values observed in the previous step.Proof.This follows from Theorem 3 and the fact that the adversary defined in the proof is efficient if P = NP.Indeed, the adversary is efficient except in the last step, where it samples an oracle that must be consistent with the queries seen.Sampling such an oracle is equivalent to sampling an NP witness, which can be done efficiently if P = NP.More details can be found in the original proof [GMM07].
It follows that that disproving the previous result would imply proving P ̸ = NP.However, we note that the assumption P=NP is not necessary.One can also embed a PSPACE oracle in the breaking oracle R, then the proof holds as P PSPACE = NP PSPACE .
The main result of the paper then follows.

A Proof of Lemma 1
Proof.We first recall a generalized version of the Swapping Lemma [Vaz98], proven by Hosoyamada et al. [HY20].for any output y.
We first note that sampling Γ ′ is the same as sampling (Γ, z, x) and then the set of differing outputs D ←$ D x,z,Γ .Hence, the left-hand side of the equation can be written as where we used the inequality E[ √ X] ≤ E[X] and we set µ A,Oi (z,•),j (x) = (z,z ′ )∈∆(Oi,O ′ i ) µ A,Oi (z,z ′ ),j (x) for some query j.Now, let Q be the query number sampled uniformly at random by B and let's assume Q = j.Then, the probability B outputs z is the probability that the result of measuring the j-th query made by A is of the form (z, z ′ ) for some z ′ .By the definition of query magnitude, it is at least µ A,Oi (z,•),j (x), thus Pr[B A,Γ (x) ⇒ z|Q = j] ≥ µ A,Oi (z,•),j (x).Hence, Pr[B A,Γ (x) ⇒ z|Q = j] ≥ 1 q q j=1 µ A,Oi (z,•),j (x) .where the last probability is taken over the internal randomness of B, and the randomness of the measurement, Γ, x and z.Note that we can remove the dependence over D as the event {B A,Γ (x) ⇒ z} is fully determined by Γ, x, z and the randomness of B. Collecting the inequalities concludes the proof.

Definition 10 (
Oracle O).The oracle O is made of several sub-oracles, more precisely O = (g, e, d, u, w).Each sub-oracle will play a part in the proof: (g, e, d) will correspond to the IND-CPA PKE (w, u) will help the IND-CCA adversary break the underlying IND-CPA PKE in order to win its own game.More precisely, if we follow the notation of Lemma 2, O = (g, e, d) and R = (u, w).

Definition 14 (
PKE relative to O).Let O = (g, e, d) be an oracle.A valid PKE construction relative to O is of the form PKE O = (G O , E O , D O ), where for all n ∈ N and some constants ρ 0 , ρ 1 , ρ 2 , ρ 3 (G O , E O , D O ) are as follows.

Γ 0 :
It is the original IND-CPA game.We recall that a quantum (sub-)oracle o is a family of quantum circuits: o = {o i } i∈N , where o ∈ (g

Γ 2 :
We recall that Γ 1 is the IND-CPA game except the oracle d has been modified into an oracle d ′ that returns ⊥ on a query (sk * , •).Now, we modify Γ 1 into a game Γ 2 by building another "encryption" oracle e ′ that returns ⊥ whenever queried on (pk * , b, r * ) for any bit b, where r * is the randomness used to compute the challenge ciphertext (i.e.c * = e(pk * , b, r * )).Formally, e ′ (pk, b, r) = ⊥, if pk = pk * ∧ r = r * e(pk, b, r), otherwise .

Corollary 3 .
If P = NP, for measure one of oracles (O, R), there exists an efficient adversary A that breaks the IND-CCA security of every shielding construction PKE O = (G O , E O , D O ).

Theorem 4 .
There is no post-quantum shielding black-box construction of IND-CCA PKE from IND-CPA PKEs.Proof.From Corollaries 2 and 3 we know that for measure one of oracles (O, R), IND-CPA PKEs exist but IND-CCA PKEs do not.Thus, there exists a tuple of oracle (O, R) s.t.IND-CPA PKEs exist but IND-CCA PKEs do not.Hence, the conditions for Lemma 2 to hold are fulfilled and that concludes the proof.

Finally[
Pr[B A,Γ (x) ⇒ z]] = 2q Pr[B A,Γ (x) ⇒ z] [CX21]tion 5, we show that an IND-CPA PKE exists relative to (O, R).The proof uses both the hardness of IMG and the lemma by Cao et al.[CX21].Finally, in Section 6 we recall Gertner et al.'s main lemma, that says that non-shielding constructions of PKEs relative to (O, R) are not IND-CCA secure, which concludes the proof.We write 1 P the indicator function that returns 1 if the predicate P holds and 0 otherwise.We denote by [n] the set {1, . . ., n} and Inj i,n the set of injective functions from {0, 1} i to {0, 1} n , with i, n ∈ N, i ≤ n.For any function f : {0, 1} i → {0, 1} n , we write Im(f ) for the image of f , i.e.Im(f ) := {y : ∃x ∈ {0, 1} i s.t.f (x) = y}.When it is clear from the context, • replaces any valid value.E.g. for some oracle O that takes two inputs and a valid first input a, O(a, •) denotes any query O(a, b) for some valid second input b.Finally, we write A ⇒ b to denote the event A outputs b, where A is an algorithm, and for a game Γ that takes as input an adversary A, we write Γ(A) ⇒ b or even Γ ⇒ b to denote the event Γ(A) outputs b.