Quantum key recovery under plaintext-checking attacks on post-quantum cryptosystems

Coping with the potential security threats arising from quantum computing, American National Institute of Standards and Technology (NIST) recently launched a post-quantum cryptography (PQC) standardization project with the goal to standardize new next-generation public-key cryptosystems. In particular, many NIST-PQC cryptosystems follow the same meta-cryptosystem. At EUROCRYPT 2019, Băetu et al. analyzed the security of meta-cryptosystem under key reuse by mounting a classical key recovery under plaintext-checking attacks (KR-PCA) and a quantum key recovery under chosen-ciphertext attacks (KR-CCA). Their results showed that quantum KR-CCA is much more efficient than classical KR-PCA. But, KR-PCA is more threatening than KR-CCA since KR-PCA just needs plaintext-checking oracle that tells whether a given ciphertext correctly decrypts to a given plaintext, while KR-CCA requires a full decryption oracle. This paper proposes a quantum KR-PCA algorithm and shows that quantum KR-PCA still outperforms classical KR-PCA. In detail, firstly, we transform the noise learning problem (the core to implement KR-PCA) into an ordered search problem. Based on the quantum algorithm for solving the ordered search problem, we solve the noise learning problems using quantum algorithms. Then, based on this quantum algorithm, we develop a quantum KR-PCA for meta-cryptosystem under key reuse, where the number of the oracle queries is about one third of the one required by classical KR-PCA. In addition, we also show that such an improvement cannot be further significantly improved for quantum adversaries. Finally, applying to 8 concrete NIST-PQC cryptosystems, we show that our quantum KR-PCA will save at least half of the running times and the oracle queries.