Provably Quantum-Secure Tweakable Block Ciphers

Recent results on quantum cryptanalysis show that some symmetric key schemes can be broken in polynomial time even if they are proven to be secure in the classical setting. Liskov, Rivest, and Wagner showed that secure tweakable block ciphers can be constructed from secure block ciphers in the classical setting. However, Kaplan et al. showed that their scheme can be broken by polynomial time quantum superposition attacks, even if underlying block ciphers are quantum-secure. Since then, it remains open if there exists a mode of block ciphers to build quantum-secure tweakable block ciphers. This paper settles the problem in the reduction-based provable security paradigm. We show the first design of quantum-secure tweakable block ciphers based on quantum-secure block ciphers, and present a provable security bound. Our construction is simple, and when instantiated with a quantum-secure n-bit block cipher, it is secure against attacks that query arbitrary quantum superpositions of plaintexts and tweaks up to O(2n/6) quantum queries. Our security proofs use the compressed oracle technique introduced by Zhandry. More precisely, we use an alternative formalization of the technique introduced by Hosoyamada and Iwata.


Introduction
Post-quantum security attracts significant attention not only in the context of public key cryptography but also in the context of symmetric key cryptography, from the view point of both cryptanalysis [BN18, BNS19a, BNS19b, CNS17, GNS18, HSX17, KLLN16b,KLLN16a] and provable security for modes of operations [BZ13, CHS19, HI19, HY18, SY17, Zha19]. Recent results on symmetric key schemes show that some of the schemes that are proven to be secure in the classical setting are completely broken by adversaries with quantum computers in some specific situations [KM10,KM12,KLLN16a], which implies that simple remedies such as "doubling the length of secret keys" would not be sufficient to prepare for the threat of quantum computers, especially if it needs to be run on a quantum computer.
There are two post-quantum security notions for symmetric key schemes: standard security and quantum security [Zha12a]. Roughly speaking, a symmetric scheme is said to have standard security if it is secure against adversaries with quantum computers that have access to usual classical keyed oracles. On the other hand, the scheme is said to have quantum security if it is secure even if adversaries with quantum computers have access to quantum keyed oracles. A quantum keyed oracle allows adversaries to make quantum superposition queries, and returns responses in quantum superpositions 1 . A scheme with quantum security has not only standard security, but it also remains secure in arbitrary intermediate security notions between quantum security and standard security. Therefore, in this sense, quantum security is theoretically the ultimate security goal that symmetric key schemes can achieve.
Importance of studying quantum security. From the view point of long-term security for symmetric key schemes, it is important to study their quantum security given the current progress on the development of quantum computers. Since program codes to compute a (deterministic) function implemented on classical computers can be ported onto quantum computers, a scheme that does not have quantum security should not be implemented in a black-box manner (by using, e.g., obfuscation). On the other hand, such security concern does not exist for a scheme with quantum security. Moreover, a scheme with quantum security will remain secure even in a far future when lots of computations and communications are done in quantum superpositions, and it will be safely used in other cryptographic schemes or protocols that are designed to run on quantum computers. 2 Quantum security of tweakable block ciphers. A block cipher (BC) is a keyed permutation, i.e., it takes a plaintext and a key as input to output a ciphertext, and a tweakable block cipher (TBC) takes additional input called a tweak. TBCs have wide applications in symmetric key cryptography, as they can be used to construct message authentication codes and authenticated encryption schemes, see e.g. [Rog04,IMPS17,BGIM19,IKMP20]. The notion of TBC was first formalized by Liskov, Rivest, and Wagner [LRW02,LRW11]. They introduced two TBC constructions and proved that TBCs can be constructed from BCs in the classical setting 3 . However, Kaplan et al. showed that these constructions are broken in polynomial time when adversaries have access to quantum encryption oracles [KLLN16a] 4 . There has been no proposal of modes of BCs to build TBCs that are proven to be secure against quantum superposed attacks so far, and the existence of such modes remains open. In this paper, we consider the following question: Does there exist a mode to build quantum-secure TBCs from quantum-secure BCs?

Our Contributions
We give a positive answer to the question in the reduction-based provable security paradigm by giving the first construction of quantum-secure TBCs from quantum-secure BCs. Our construction, which we call LRWQ, has a simple structure and is based on one of the two constructions by Liskov, Rivest, and Wagner. If the underlying BC is an n-bit BC with k-bit keys, then LRWQ becomes an n-bit TBC with 3k-bit keys and n-bit tweaks. We show that LRWQ is indistinguishable from tweakable random permutations up to O(2 n/6 ) quantum queries 5 in the setting that adversaries can query arbitrary superpositions of plaintexts and tweaks, i.e., we prove security against quantum chosen plaintext attacks (qCPAs).
To prove quantum security of our construction LRWQ, we use an alternative formalization [HI19] of the compressed oracle technique developed by Zhandry [Zha19]. We give a summary of necessary proof techniques to show quantum oracle indistinguishability introduced in a previous work [HI19,HI20], and then apply it to show quantum security of LRWQ.
Our result is theoretically significant in the sense that we for the first time showed that quantum-secure tweakable pseudorandom permutations (q PRP) can be constructed from quantum-secure pseudorandom permutations (qPRP) (which establishes the fact that the existence of q PRP is theoretically equivalent to the existence of qPRP). The problem of whether a cryptographic primitive can be constructed from another primitive (whether there exists a reduction) is fundamental and theoretically the most important in cryptology. In addition, given that a q PRP can be obtained from quantum-secure pseudorandom functions (qPRF) through 4-round Feistel cipher [HI19,HI20], our result establishes the fact that a q PRP can be obtained from a qPRF.
On a practical side, it is plausible to assume AES [Nat01] to be qPRP given that there has been no devastating quantum attack despite of recent efforts on quantum cryptanalysis on it. Thus, we can certainly obtain q PRP by instantiating LRWQ with AES. This means that our result enables us to directly benefit from recent efforts for quantum cryptanalysis on AES [GLRS16,BNS19b,JNRV20].
Remark 1. To obtain q PRP, one obvious approach is to verify whether existing native TBCs are quantum-secure (or design new ones), instead of using our mode LRWQ. However, these two approaches do not negate the other, but complement each other, i.e., our result gives another choice to construct q PRP for users. Even if there exists a quantum-secure native TBC, this does not invalidate our result.
Remark 2. This paper does not provide security proofs against quantum chosen ciphertext attacks (qCCAs), as our construction is broken if the decryption oracle is available even in the classical setting, which is also the case for one of the original constructions by Liskov, Rivest, and Wagner. Showing existence of TBCs that are secure against qCCAs is an interesting future work. Since the compressed oracle technique can be used for random functions but cannot be used for random permutations that allow inverse queries, an entirely new proof technique has to be built to show that a scheme (if exists) is secure against qCCAs. Note that TBCs that are secure against chosen-plaintext attacks (which is not secure against chosen-ciphertext attacks) can be used to instantiate various efficient message authentication codes and authenticated encryption schemes, e.g., ZMAC [IMPS17], ZOTR [BGIM19], and Romulus [IKMP20]. Therefore, TBCs that are secure against quantum chosen-plaintext attacks (qCPAs) are relevant. 6

Paper Organization
Section 2 describes notations and basic definitions that are used throughout the paper. Section 3 reviews previous proof techniques and gives a proof summary to show quantum oracle indistinguishability results. Section 4 describes the specification of our construction LRWQ, and proves its quantum security. Section 5 concludes this paper with possible future works. 6 We note that the argument here is to illustrate the relevance of TBCs that are secure against CPAs. We are not claiming that the modes are secure against quantum attacks. We also note that there are BC-based authenticated encryption modes that do not use the decryption of BCs, such as CCM [WHF02], GCM [MV04], and OTR [Min14].

Preliminaries
Throughout the paper, we assume that all algorithms are quantum algorithms, and make quantum superposed queries to oracles. We assume that readers are familiar with basics on quantum computations.
Basic notations. For bit strings X ∈ {0, 1} m and Y ∈ {0, 1} n , let X||Y ∈ {0, 1} m+n denote the concatenation of X and Y . For each bit string X of finite length, let |X| denote the length of X in bits. For a positive integer m, GF(2 m ) denotes the finite field of order 2 m . We identify the set of bit strings {0, 1} m with the set of integers {0, 1, . . . , 2 m − 1} unless otherwise noted.
· and · tr denote norm of vector and trace norm of matrix, respectively. td(·, ·) denotes the trace distance function td(ρ, σ) := 1 2 ρ − σ tr . H denotes the Hadamard operator on 1-qubit states. We denote the identity operator for an n-qubit quantum system by I n or just I. In addition, we denote the vectors |φ ⊗ |0 s and |0 s ⊗ |φ by the same symbol |φ , if there will be no confusion. For a unitary operator U , we denote the operators U ⊗ I and I ⊗ U by the same symbol U .

Information-Theoretic Model
First, we explain how we model (oracle-aided) quantum algorithms when we take only the number of quantum queries into account as adversaries' computational resources, i.e., we consider quantum information-theoretic adversaries. When a single quantum oracle is available 7 , following previous works [BDF + 11, SY17, Zha12a] we model an oracle-aided quantum algorithm A that makes at most q quantum queries as a sequence of unitary operators (U 0 , . . . , U q ) that act on an s-qubit state space (which is the state space of A), where U 0 corresponds to an initialization process and U i corresponds to A's offline computation after the i-th query, for i ≥ 1. Without loss of generality we can assume that A does not make any intermediate measurements, and A's state space H A (a Hilbert space) is a joint system of an a query -qubit quantum system H query , an a ans -qubit quantum system H ans , and an (s − a query − a ans )-qubit quantum system H work . Here, H query , H ans , and H work correspond to the register to send queries to oracles, the register to receive answers from oracles, and the register for A's offline works, respectively. We also model a quantum , A measures the first s-qubit of the state |Φ with the computational basis to obtain a classical s-bit string z, and finally outputs (a part of) z. We denote the event that A outputs a bit string x after it runs relative to O by x ← A O .
Example of an oracle. Let F be a family of functions from {0, 1} m to {0, 1} n . Suppose that a quantum algorithm A runs relative to a quantum oracle O F that first chooses f randomly from F (according to a distribution on F ) and gives A a quantum oracle access to f . Then H query and H ans are defined as m-qubit space and n-qubit space, respectively. O F has no quantum states, and each O i is the unitary operator defined by When f is chosen just uniformly at random, then this is the quantum oracle of a random function.

Non-Information-Theoretic Model
When we take other computational resources such as time and the number of available qubits into account in addition to the number of quantum queries, we model a quantum algorithm as a combination of classical algorithms and quantum circuits. In this paper we consider the pure quantum circuit model and ignore the costs related to communication complexity and error corrections. We regard that a quantum circuit of depth D runs in time D. We assume that each quantum circuit is composed of (1) the Hadamard gate H, (2) the π/8-gate T , (3) the phase gate S, (4) the CNOT gate, and (5) the oracle gate (if an oracle is available). We assume that each of basic gates runs in time O(1), in addition that CNOT can act on arbitrary pair of qubits.
Remark 3. In practice, computational complexity of quantum algorithms would significantly vary depending on error correction costs and quantum hardware architectures, or communication costs. Our model might overestimate quantum algorithms' abilities, but schemes that are proven to be secure in this model will remain secure in other more realistic models.

Security Definitions
Oracle distinguishing advantage. For quantum oracles O 1 and O 2 , we define the quantum distinguishing advantage of an oracle-aided quantum algorithm A by 1} n be a keyed function, and A be an oracle-aided quantum algorithm. By abuse of notation, let F also denote the quantum oracle that chooses a key K ∈ {0, 1} k uniformly at random and gives a quantum oracle access to F (K, ·). Following previous works [BDF + 11, Zha12a], we define the quantum pseudorandom function advantage (or qPRF advantage for short) by where RF is the quantum oracle that gives a quantum oracle access to a random function Quantum PRP advantages. Let E : {0, 1} k × {0, 1} n → {0, 1} n be a block cipher, and A be an oracle-aided quantum algorithm. By abuse of notation, let E also denote the quantum oracle that chooses a key K ∈ {0, 1} k uniformly at random and gives a quantum oracle access to E(K, ·). Following [HI19, Zha16], we define the quantum pseudorandom permutation advantage (or qPRP advantage for short) by Adv qPRP where RP is the quantum oracle that gives a quantum oracle access to a random permutation Quantum TPRP advantages. LetẼ : {0, 1} k ×{0, 1} t ×{0, 1} n → {0, 1} n be a tweakable block cipher, and A be an oracle-aided quantum algorithm. By abuse of notation, letẼ also denote the quantum oracle that chooses a key K ∈ {0, 1} k uniformly at random and gives a quantum oracle access toẼ(K, ·, ·). Extending the classical security notion [LRW02,LRW11], we define the quantum tweakable pseudorandom permutation advantage (or q PRP advantage for short) by where RP is the quantum oracle that gives a quantum oracle access to a functionP : is a random permutation for each T ∈ {0, 1} t (i.e.,P is a tweakable random permutation).

Proof Techniques in the Quantum Setting
This section reviews previous quantum proof techniques that are used in later sections. One of the most significant obstacles to giving quantum security proofs is that we cannot record transcripts of queries and answers: if we copy and record adversaries' queries in the same way as we do in the classical setting, it significantly affects the adversaries' quantum states.
In [Zha19], Zhandry showed how we can overcome this obstacle with his proof technique named "compressed oracle technique," which enables us to record transcripts of queries made to quantum random oracles to some extent. His technique is so powerful that it can be used to show the indifferentiability of Merkle-Damgård construction, post-quantum security of Fujisaki-Okamato transformation [Zha19], the quantum query lower bound for the multicollision-finding problem on random functions [LZ19], and that the 4-round Luby-Rackoff construction is a qPRP [HI19,HI20]. The technique not only enables us to record quantum queries but also efficiently simulate random functions. In later sections, we also use his technique to show that a function is indistinguishable from a random function against information theoretic adversaries. Because we do not have to care about efficient simulations of random functions in our proofs when we focus on information theoretic adversaries, we use an alternative formalization of the compressed oracle technique by Hosoyamada and Iwata named recording standard oracle with errors [HI19, HI20], which ignores efficient simulations for random functions and focuses on recording quantum queries. In [HI19,HI20], the authors showed some indistinguishability results by using the recording standard oracle with errors. Their techniques are arguably complex, making it hard to apply for other symmetric key schemes. In this section, we give a summary of their proof strategy so that the readers can have a good outlook on it 9 . The organization of this section is as follows. In Section 3.1, we present an overview the recording standard oracle with errors. In Section 3.2, we review and summarize how the recording standard oracle with errors is used to show quantum oracle indistinguishability in [HI19, HI20] (see Proposition 3). In Section 3.3, we review some other useful proof tools for later use.
In Section 3.1 and Section 3.2, we focus on quantum information-theoretic adversaries, and model quantum algorithms as in Section 2.1.1. In Section 3.3, we take the running time and the number of available qubits into account when we estimate adversaries' computational resources, as in Section 2.1.2.

Standard Oracle
The quantum oracle of a random function (or quantum random oracle [BDF + 11]) is primarily defined as the oracle such that, a function f is chosen randomly at the beginning, and then it gives an adversary quantum oracle access to f . Note that the quantum oracle access to a function f is realized by the unitary operator O f : |x |y → |x |y ⊕ f (x) (See the example in Section 2.1.1). Below, we give an equivalent model of the quantum oracle of a random function, which we call the standard oracle for a random function.
For a function f : {0, 1} m → {0, 1} n , by the same symbol f let us denote the (n+1)·2 mbit string (0 f (0)) (0 f (1)) · · · (0 f (2 m − 1)). (Now we are considering the truth table of f . Readers may wonder why there is a bit "0" before each f (i) although a natural representation of the truth table would be the n · 2 m -bit string f (0)||f (1)|| · · · ||f (2 m − 1). Actually, the bit "0" in our representation is essentially unnecessary to explain the standard oracle, but we include this for later use.) In addition, let us define a unitary operator stO for (n + m + (n + 1)2 m )-qubit states by where x ∈ {0, 1} m , y ∈ {0, 1} n , and S = (b 0 s 0 ) (b 1 s 1 ) · · · (b 2 m −1 s 2 m −1 ), where b i ∈ {0, 1} and s i ∈ {0, 1} n for each i ∈ {0, 1} m . Then we have that (O f |x |y ) ⊗ |f = stO |x |y |f holds. That is, the oracle O f can be realized by the operator stO, which is independent from functions, and the truth table of f . By abuse of notation, let stO also denote the stateful quantum oracle such that its initial state is the uniform superposition of all functions f 1 2 n2 m |f , and when a query is made, the response is processed as in (1). Then, for any quantum algorithm A and any (classical) possible output z, Pr z ← A stO = Pr z ← A RF holds.

Recording Standard Oracle with Errors
Next we review the recording standard oracle with errors, which is an alternative formalization of Zhandry's compressed oracle technique. It enables us to record transcripts of queries made to random functions.
Define three unitary operators IH, CH, U toggle that act on (n + 1)2 m -qubit states by For completeness, we do not rely on any propositions in [HI19,HI20] that is related to the errors. The propositions we cite from [HI19,HI20] in this paper are ones of which correctness can be confirmed just by straightforward algebraic calculation (Proposition 1 and Proposition 2), and one that is just a simple combination of other previous results (Proposition 4).
where CH ⊗n := |1 1| ⊗ H ⊗n + |0 0| ⊗ I n is the controlled n-qubit Hadamard operator, and X is the 1-qubit "NOT" operator defined by X |b = |b ⊕ 1 . The actions of the unitary operator U enc := CH · U toggle · IH and its conjugate are called encoding and decoding, respectively.
Definition 1 (Recording standard oracle with errors). The recording standard oracle with errors is a quantum oracle with (n + 1)2 m -qubit states such that the initial state is |0 (n+1)2 m and responses to queries are processed by the unitary operator RstOE := (I ⊗ U enc ) · stO · (I ⊗ U * enc ), where I denotes the identity operator on adversaries' query and answer registers, and U * enc is the conjugate of U enc . (See also Fig. 1 From the definition of RstOE it immediately follows that, for any quantum algorithm A and any (classical) possible output z, Let D be an (n + 1)2 m -bit string Note that there is a natural one-to-one correspondence between the set of valid databases and the set of partially defined functions from {0, 1} m to {0, 1} n that is defined by In addition, there exists a trivial oneto-one correspondence between the set of the partially defined function from {0, 1} m to {0, 1} n and the set X : We identify valid databases with partially defined functions and elements in X via these one-to-one correspondences. For a valid database D, we write Remark 4 (Intuition behind RstOE). Intuitively, for a valid database D, b x = 1 means that x has been queried and the corresponding answer is d x , and databases can be regarded as transcripts of queries and answers. When a query is made, (valid) databases are first "decoded" into truth tables of functions. Then the oracle responds with stO, and finally the truth tables are "encoded" again into (valid) databases.
Let A be a quantum algorithm, and |ψ i be the whole quantum state of A and the oracle just before the i-th query when it runs relative to the standard oracle RstOE. For ease of notation, let us denote |ψ q+1 be the quantum state after all unitary processes are finished. The following proposition guarantees that each database contains at most i entries after i quantum queries. Proposition 1. Let i ≥ 1. Suppose that we measure the oracle states' register of |ψ i+1 and obtained a database D. Then D is valid, and contains at most i entries.
We can deduce that the proposition holds from the discussions in [HI19, HI20], though, we provide a proof of the proposition in Appendix A for completeness.
Remark 5. Unlike classical transcripts, even if |ψ i contains a database D (of non-zero quantum amplitude) with an entry (x, d x ), there is no guarantee that |ψ i contains a database with the entry (x, d x ) for some i > i. That is, roughly speaking, there is a possibility that a database will "forget" its entries. Furthermore, there is even a possibility that the record (x, d x ) is overwritten with another record (x, d x ) when a query is made.
The following proposition shows core technical properties for RstOE.

For any y, there exists a vector
is a superposition of invalid databases that depend on γ defined by and | 0 n := H ⊗n |0 n .

For any y, there exists a vector
holds, where | 0 n = H ⊗n |0 n .
Remark 6. Roughly speaking, Proposition 2 says that RstOE behaves as a quantum version of the classical lazy sampling (up to a small error) when the state before a query is not superposed: The second property is an analogy of the property of the classical lazy sampling that, if the query x has not been queried before, then RstOE samples α uniformly at random and responds with it (with some errors). The first property is an analogy of the classical one that, if the query x has already been queried before and its answer was α, then the response to the current query is α as before (with some errors). When the state before a query is superposed, the effect of the error terms | 1 and | 2 becomes non-negligible and quantum-specific properties (such that a record is deleted or overwritten from the database) arise, and we have to provide careful analysis. Therefore, we can use classical intuitions to come up with quantum security proofs with RstOE, but still sometimes classical intuitions do not work and mathematically rigorous proofs are indispensable.

How to Show Quantum Oracle Indistinguishability with RstOE
Here we briefly review how the recording standard oracle with errors is used to show quantum oracle indistinguishability in [HI20]. Note that this section focuses on quantum information-theoretic adversaries, and we model quantum algorithms as in Section 2.1.1. We first describe the proof strategy formally, and then explain some informal intuition behind it.
Goal. Suppose that there are functions F f1,...,fr , G g1,...,gs : X → Y that have access to functions f 1 , . . . , f r and g 1 , . . . , g s in a black-box manner, respectively. Our goal is to give an upper bound on the distinguishing advantage of an adversary A between F f1,...,fr and G g1,...,gs when each f i and g j are random functions.
Oracle implementations using RstOE. Below, we assume that elements in X and Y are encoded into m-bit strings and n-bit strings for some positive integers m and n, respectively. When each f i is a fixed function (but not a random function), let O f1,...,fr F denote the quantum oracle of F f1,...,fr . We assume that the unitary operator O f1,...,fr F of the oracle O f1,...,fr F is realized as a quantum circuit with oracle gates (that make queries to f 1 , . . . , f r ) and suppose that ancilla qubits are used to compute F . The ancilla qubits are supposed to be |0 before and after each evaluation of F when f 1 , . . . , f r are some fixed functions. That is, we assume that O f1,...,fr F is a unitary operator such that O f1,...,fr F : |x |y ⊗ |0 → |x |y ⊕ F f1,...,fr (x) ⊗ |0 holds, when each f i is fixed. When f 1 , . . . , f r are random functions RF 1 , . . . , RF r , we assume that they are implemented by using the recording oracle with errors RstOE. We regard O RF1,...,RFr F as the quantum oracle of which quantum states are combinations of (superposed) valid databases for RF 1 , . . . , RF r and the ancilla qubits. Then, the joint quantum state of A and O RF1,...,RFr F is described as where u corresponds to A's state, each DB F = (D 1 , . . . , D r ) denotes a (combined) database for RF 1 , . . . , RF r , each ξ is a classical -bit string, and a u,DB F ,ξ satisfies Similarly, when g 1 , . . . , g s are random functions RF 1 , . . . , RF s , we assume that the quantum oracle O G of G RF 1 ,...,RF s are implemented by using RstOE. We assume that O G uses ancilla qubits to compute G. We denote a (combined) database for RF 1 , . . . , RF s by DB G := (D 1 , . . . , D s ), where D i is a valid database for each RF i . Good and bad databases. Next, we classify valid databases for O F and O G into good and bad databases, which correspond to good and bad transcripts in classical security proofs. The important point is that the classification is done in such a way that there is a one-to-one correspondence between good databases for O F and those for O G . For each good database DB F for O F , we denote the corresponding good database for O G by An upper bound of the oracle distinguishing advantage. Let A be an oracle-aided quantum algorithm that makes at most q quantum queries. Let |ψ i (resp., |ψ i ) be the entire quantum state just before the i-th query when A runs relative to O F (resp., O G ). By abuse of notation, let |ψ q+1 (resp., |ψ q+1 ) be the entire quantum state just before the final measurement.
The technically hardest part to give an upper bound of Adv dist , and |ψ bad i that satisfy the following properties.
hold, where x, y, and z correspond to A's register to send queries to oracles, register to receive answers from oracles, and register for offline computation, respectively.

It holds that
for some positive values Though this proposition is essentially proved in [HI20], here we give a proof for completeness.
Proof. From (10), it follows that |ψ bad (8) and (9), where Tr O F and Tr O G denote the partial trace over the quantum systems of the oracle's states. Thus we have which completes the proof.

Intuitions.
Here we explain some intuitions behind the above proof strategy. First, when we define good and bad databases, we choose good databases so that the following conditions will hold (in addition that there exists a one-to-one correspondence between good databases for O F and those for O G ).
2. The "probability" (in a quantum sense) that a good database DB F (resp., DB G ) changes to a bad database at each query to O F (resp., O G ) is small.
The first condition ensures that the adversary cannot distinguish O F and O G as long as databases are good, which leads to the existence of vectors |ψ good i and |ψ good i that satisfies (8) and (9) for each i. (Recall that, in the proof of Proposition 3, (8) and (9) for i = q + 1 lead to the property that the adversary's distinguishing advantage is bounded by .) The "probability" in the second condition corresponds to the terms are very small, we can show the indistinguishability of O F and O G through Proposition 3. In a later section, to show that the "probability" is really small, we decompose O F (resp., O G ) into a sequence of RstOE f1 , . . . , RstOE fr (resp., RstOE g1 , . . . , RstOE gs ), and prove that the "probability" that a good database changes to a bad database is small at each query to RstOE fj (resp., RstOE gj ) for each j.

Other Useful Tools
Here we review some useful proof tools for later use. Note that, in this section we take the running time and the number of available qubits into account, in addition to the number of quantum queries, when we estimate adversaries' computational resources (see Section 2.1.2 for details).
Switching random functions and random permutations. The following theorem is a quantum version of the RF-RP switching lemma, which was shown by Zhandry [Zha15].
Theorem 1 (Theorem 7 in [Zha15]). Let RF and RP denote quantum oracles of a random function from {0, 1} n to {0, 1} n and an n-bit random permutation, respectively. Let A be an oracle-aided quantum algorithm that makes at most q quantum queries. Then Simulating random functions in the quantum setting. For a positive integer k, k-wise independent hash function family is a family of functions H = {h i : X → Y} i∈I (I is a finite index set) such that Pr Zhandry showed that a random function can be perfectly simulated with 2q-wise independent hash function families against quantum algorithms that make at most q queries [Zha12b].
Theorem 2 (Theorem 3.1 in [Zha12b]). Let A be an oracle-aided quantum algorithm that makes at most q quantum queries. Let H = {h i : {0, 1} m → {0, 1} n } i∈I be a 2q-wise independent hash function family. By abuse of notation, let H also denote the quantum oracle such that i ∈ I is chosen uniformly at random and the quantum oracle access to the function h i is given to A. Then Adv qPRF The set of polynomials over GF(2 n ) of which degree is at most 2q − 1 (≤ 2 n ) becomes a 2q-wise independent hash function family (domains and ranges are GF , 1} n } i∈I denote this hash function family. Then H can be regarded as a function from I × {0, 1} n to {0, 1} n . We can built a quantum circuit with depthÕ(q) and widthÕ(q) (Õ suppresses factors of polynomials in n) that computes the function H : (i, x) → h i (x). Therefore, the following corollary follows from Theorem 2. holds.
Remark 7. The upper bound given in Proposition 4 is much larger than that in Theorem 1. We expect that the bound in (12) is not tight, while a better provable security bound is not known.

A Quantum-Secure TBC
This section gives a new construction that converts block ciphers that are secure against quantum superposition attacks into tweakable block ciphers that are secure against quantum superposition attacks. Since our construction is a variant of the LRW constructions [LRW02], we first review them before introducing ours.

The LRW Constructions
Liskov, Rivest, and Wagner introduced constructions that convert (classically) secure block ciphers into (classically) secure tweakable block ciphers, which are called the LRW constructions [LRW02].
ℎ Figure 2: The LRW constructions. LRW1 is depicted on the left, and LRW2 is depicted on the right.
, 1} n be a block cipher and h be an almost 2-xor-universal hash function. Then the first construction, which we denote by LRW1, is defined as The second construction, which we denote by LRW2, is defined as where h is a part of the key. See Fig. 2 10 . Roughly speaking, both LRW1 and LRW2 are shown to be secure up to about 2 n/2 queries (if h is a 1/2 n -almost 2-xor-universal hash function) in the classical setting. LRW2 is also proven to be secure even if the decryption oracle is available to adversaries (That is, LRW2 is a tweakable strong pseudorandom permutation. LRW1 is not a tweakable strong pseudorandom permutation since it is broken if the decryption oracle is available).
In the quantum setting, however, Kaplan et al. showed that LRW2 can be distinguished from a tweakable random permutation in polynomial time (in n) if quantum superposition queries to keyed oracles are allowed [KLLN16a].
An overview of their attack is as follows: Choose two tweaks T = T and define a function Note that the attack on LRW1 implies that we can efficiently find a collision for the function LRW1[E]

LRWQ: A Quantum-Secure Construction
We next present our construction, LRWQ, which is a three-key block-cipher based tweakable block cipher. If the block length of the underlying block cipher is n, both the block and tweak lengths of LRWQ become n.
Let E be an n-bit block cipher with k-bit keys. Then the tweakable block cipher Unlike the classical constructions LRW1 and LRW2, as we will show in Section 4.3, LRWQ is secure against quantum superposition attacks when it is instantiated with n-bit block ciphers that are secure against quantum superposition attacks. LRWQ is the first mode of block ciphers to build a tweakable block cipher that is provably secure against quantum superposition attacks.

Classical Security Analysis
Before going into the analysis in the quantum setting, we show that LRWQ is a secure tweakable block cipher in the classical setting against chosen plaintext attacks up to O(2 n/2 ) queries, and the security bound is tight. In addition, we show that LRWQ is broken in time O(1) only with O(1) queries if the decryption oracle is available (i.e., LRWQ is not a tweakable strong pseudorandom permutation), even in the classical setting. Define the distinguishing advantage Adv dist , the pseudorandom permutation advantage Adv PRP , and the tweakable pseudorandom permutation advantage Adv PRP for classical adversaries in the same way as we did for quantum adversaries. Then the following proposition holds.
Proposition 5. Let A be a classical adversary that makes at most q queries and runs in time τ . Then, there exist three classical adversaries B 1 , B 2 , and B 3 that make at most q queries and run in timeÕ(τ + q) such that This proposition can be shown in a straightforward manner, but we give a proof intuition in Appendix B.

q PRP Security Proofs for LRWQ
Below, we give q PRP security proof for LRWQ. The goal is to show the following theorem.
Theorem 3. Let A be a quantum algorithm that runs in time τ , makes at most q quantum queries, and uses Q qubits. Then there exist quantum algorithms B 1 , B 2 , and B 3 that make at most O(q) quantum queries and run in time τ 1 , τ 2 , and τ 3 , respectively, such that holds, where τ 1 and τ 2 are inÕ(τ + q 2 ), τ 3 is inÕ(τ + q), andÕ suppresses factors of polynomials in n. B 1 and B 2 useÕ(Q + q) qubits, and B 3 usesÕ(Q) qubits.

Notations, Definitions, and Basic Properties
Here we introduce notations, definitions, and basic properties that are used to prove q PRP security of LRWQ. See Fig. 4 for figures of FSum, FSF small , and FSF big . Note that FSF small is defined in the same way as LRWQ[E] except that it uses random functions instead of block ciphers. FSF big is completely indistinguishable from a random function since f big is a random function.
Reduction to qPRF Security of FSF small . The following proposition shows that the problem of proving q PRP security of LRWQ[E] can be reduced to the problem of proving qPRF security of FSF small when the underlying block cipher is a secure qPRP.
Proposition 6. Let A be a quantum algorithm that runs in time τ , makes at most q quantum queries, and uses Q qubits. Then there exist quantum algorithms B 1 , B 2 , and B 3 that make at most O(q) quantum queries and run in time τ 1 , τ 2 , and τ 3 , respectively, such that follows. In addition, follows from Proposition 4. Therefore, the claim of the proposition follows from (14), (15), (16), (17), and (18).
The most difficult part in the security proof for LRWQ is to show qPRF security of FSF small , which is equivalent to showing indistinguishability of FSF small and FSF big since FSF big is completely indistinguishable from a random function. To use the proof strategy in Section 3.2, we describe how the quantum oracles of FSF small and FSF big are implemented with f 0 , f 1 , and f small or f big , and define good and bad databases in such a way that there exists a one-to-one correspondence between good databases for FSF small and those for FSF big .

Implementations of the quantum oracles of FSF small and FSF big .
We assume that the quantum oracle of FSF small is implemented as follows when f 0 , f 1 , and f small are given as quantum oracles. Suppose that |M, T |Y is queried to the oracle of FSF small . Here, |Y is the register to which the answer from the oracle will be added. We assume that the quantum oracle of FSF big is implemented in the same way, except that the query in the fourth step is (M, T, FSum(M, T )) to f big instead of FSum(M, T ) to f small . See also Fig. 5.
In what follows, as explained in Section 3.2, we assume that the quantum oracles of the random functions f 0 , f 1 , f small , and f big are implemented by using the recording standard oracle with errors, and thus the oracles FSF small and FSF big keep the databases (and the ancillary qubits that are temporarily used in (19)-(22)) as their states. Let O FSF small and O FSF big denote the unitary operators of the oracles FSF small and FSF big to respond to queries as above.  Figure 5: Implementation of FSF small and FSF big . "in" and "out" denote the registers to send queries and receive answers, respectively. The functions f 0 , f 1 , f small , and f big will be implemented with the recording standard oracle with errors in security proofs.

Good and bad databases.
Here we define good and bad databases for FSF small and FSF big in such a way that there exists a one-to-one correspondence between good databases for FSF small and those for FSF big .
Let D 0 , D 1 , D small , and D big denote (valid) databases for f 0 , f 1 , f small , and f big , respectively. The oracles FSF small and FSF big keep (quantum superpositions of) tuples of databases (D 0 , D 1 , D small ) and (D 0 , D 1 , D big ), respectively.
We say that a tuple of bit strings E = (W 0 , W 1 , We say that a (combined) database DB small = (D 0 , D 1 , D small ) for FSF small (resp., DB big = (D 0 , D 1 , D big ) for FSF big ) is good if and only if it satisfies the following condition.
We call the unique expansion E the expansion of (V, C) in DB small (resp., the expansion of (W 0 ||W 1 ||V, C) in DB big ). We say that a (valid) database is bad if it is not good.

Intuition behind good and bad databases.
Intuitively, a valid database DB small = (D 0 , D 1 , D small ) for FSF small (resp., DB big = (D 0 , D 1 , D big ) for FSF big ) is bad if and only if, there exist an element (V, C) in the database D small (which records transcripts for f small ) and two or more pairs ((W 0 , Z 0 ), (W 1 , Z 1 )) ∈ D 0 × D 1 (D 0 and D 1 records transcripts for f 0 and f 1 , respectively) such that Otherwise the database is good. Note that the database is defined to be bad when such a pair exists even if W 0 and W 1 are not queried to f 0 and f 1 at the same time: A natural definition of bad transcripts in the classical setting is that, a transcript is defined to be bad if and only if, there exist a record (V, C = f small (V )) and two or more pairs of records ((W 0 , Z 0 = f 0 (W 0 )), (W 1 , Z 1 = f 1 (W 1 ))) such that Z 0 ⊕ Z 1 = V , and W 0 and W 1 are queried at the same time. However, in the quantum setting, the compressed oracle technique (and the recording oracle with errors) cannot record the information about whether certain pair of inputs are queried at the same time. 11 Thus we defined good and bad databases as above.
A one-to-one correspondence between good databases. By the above definition, we can define a one-to-one correspondence between the set of good databases for FSF small and that for FSF big . We say that a valid database D big for f big is consistent if there does not exist distinct element (W 0 ||W 1 ||V, C) and

Regular and irregular states of oracles.
We say that a state vector of the oracle FSF small is irregular if one of the databases is invalid, or ancillary qubits used in (19)-(22) are not the all-zero state |00 · · · 0 . We say that a state vector is regular if it is not irregular. In addition, we say that a state vector of the oracle FSF small is pre-irregular if one of the databases is invalid, or the least significant 2n qubits (the registers that correspond to f 1 (T ) and FSum(M, T ) in (20)-(22)) are not |0 n |0 n . We say that a state vector is preregular if it is not pre-irregular. Similarly, we define (pre-)irregular and (pre)regular states for FSF big .
The following lemma shows that the behavior of RstOE f big on a consistent database D big is the same as that of RstOE f small on the corresponding database [D big ] small . was submitted in i-th query. However, currently we do not have any idea on how to formalize it, while appropriately removing some records from database. 12 In fact the first condition (i) may not happen but such a database can theoretically exist. Here we exclude the condition (i) just for theoretical completeness.

qPRF Security of FSF small
The goal of this section is to show the indistinguishability of FSF small and a random function, which is equivalent to show indistinguishability of FSF small and FSF big . Let A be a quantum algorithm that makes at most q quantum queries. Let |ψ i and |ψ i denote the whole quantum states of A and the oracle just before the i-th query when A runs relative to FSF small and FSF big , respectively. (By |ψ q+1 and |ψ q+1 we denote the whole quantum states just before the final measurement when A runs relative to FSF small and FSF big , respectively, by abuse of notation.) The technically hardest part of proving the indistinguishability is to show the following proposition. In what follows, for each summation symbol, we separate variables over which the summation is taken and the conditions imposed on the variables by ";", to simplify notations. For example, by α,β;α∈A,α+β∈B we indicate that the summation is taken over all possible α and β such that α ∈ A and α + β ∈ B. 3. For each database (D 0 , D 1 , D big ) in |ψ good i (resp., (D 0 , D 1 , D small ) in |ψ good i ) with non-zero quantum amplitude, |D 0 | ≤ 2(i − 1), |D 1 | ≤ 2(i − 1), and |D big | ≤ i − 1 (resp., |D small | ≤ i − 1).

|ψ bad
Let RstOE f0 , RstOE f1 , RstOE f small , and RstOE f big be the recording standard oracle with errors for f 0 , f 1 , f small , and f big , respectively. Then, the unitary operators O FSF small and O FSF big are decomposed into 7 unitary operators as and O FSF big = RstOE * f0 · RstOE * f1 · XOR * · RstOE f big · XOR · RstOE f1 · RstOE f0 , respectively, where XOR denotes the unitary operation to add the values f 0 (M ) and f 1 (T ) in Step 3 (state (21)) of the implementation of the oracles, which is defined by XOR |a |b |c = |a |b |c ⊕ a ⊕ b .
To show the proposition, we study how the states |ψ i and |ψ i change when the 7 unitary operators act, in a sequential order. First, we show the following lemma.

For each database
Proof. Let Π valid denote the projection onto the space spanned by the vectors that correspond to valid databases. Then, by applying Proposition 2 to RstOE f0 , we have that The terms (28) can be shown in a similar way as we showed (42). From (38), (43), and (44), follows. Since this inequality and (34) hold, holds, which implies that the fourth property holds for |ψ bad,1 The following lemma shows how the states RstOE f0 |ψ i and RstOE f0 |ψ i change when XOR · RstOE f1 act on them. This lemma can be shown in the same way as we showed Lemma 2. Thus we omit to write the proof.
The next lemma shows how the state changes when RstOE f big and RstOE f small act on the states XOR · RstOE f1 · RstOE f0 |ψ i and XOR · RstOE f1 · RstOE f0 |ψ i , respectively.
Thus the fourth property holds for |ψ bad,3 i . The fourth property for |ψ bad,3 i can be shown in the same way.
The following proposition shows qPRF security of FSF small .

Proposition 8. For a quantum algorithm A that makes at most q quantum queries,
holds.
Proof. Since FSF big is completely indistinguishable from a random function, we have that Adv qPRF FSF small (A) = Adv dist FSF small ,FSF big (A) holds. In addition, since Proposition 7 holds, by applying Proposition 3, we obtain which completes the proof.

Completing the Proof of Theorem 3
Theorem 3 immediately follows from Proposition 6 and Proposition 8.

Conclusions
We gave the first construction, called LRWQ, of quantum-secure TBCs from quantumsecure BCs, and presented its provable security bound against qCPAs. Our proof is based on the compressed oracle technique by Zhandry [Zha19] and the proof strategy to show quantum oracle indistinguishability used in [HI20].
15 RstOE * f 1 XOR * in the proof of Lemma 5 corresponds to U k RstOE * f 0 in this proof. U k is the unitary operator that corresponds to A's offline computation after the k-th query. Future works. We did not consider quantum chosen ciphertext attacks (qCCAs), and showing TBCs that are secure against qCCAs is an interesting future work.
Another important future work is to improve the security bound. Roughly speaking, we prove that our construction LRWQ is secure up to O(2 n/6 ) quantum queries, but we could not find any attack that breaks LRWQ with O(2 n/6 ) quantum queries, and this bound does not seem to be tight.
Next, define where the number of j such that s j = 0 is at most (i − 1). When U enc = CH · U toggle acts on such a state |S , we always obtain a (superposition of) valid database D with |D| ≤ (i − 1). Since (62) holds, this means that the claim of Proposition 1 holds.

B Proof Intuition for Proposition 5
First, we give a proof intuition for (13). When E is an ideally random block cipher, (A) ≤ O(q 2 /2 n ) holds, which proves (13) when E is an ideally random block cipher. It follows from standard hybrid arguments that (13) also holds for the case that E is not necessarily an ideally random block cipher. (See also the proof of Proposition 6. In the classical setting, a random permutation can efficiently be simulated by lazy sampling.) Second, we show the existence of an algorithm C in Proposition 5. Let O be the encryption oracle, which is either LRWQ[E] or a tweakable random permutation RP. Let C be a classical algorithm that runs the following procedure: This modified algorithm C runs in timeÕ(1) and distinguishes LRWQ from RP by making only O(1) queries with an overwhelming probability. Therefore, our construction LRWQ is broken (distinguished from a tweakable random permutation) in timeÕ(1) with only O(1) queries, if the decryption oracle is available.