Security Models

Security Models in
Quantum Cryptography

A quantum protocol can be perfectly engineered and still be insecure — if the security model used to analyse it fails to capture the adversary's real capabilities. Security proofs in quantum cryptography are only as meaningful as the models they assume. This page maps the landscape: from how we classify adversary attacks, to how the real/ideal paradigm formalises security, to why composability determines whether a protocol that is secure in isolation remains secure inside a larger system.

Security Proofs Real/Ideal Paradigm UC Framework QROM Trace Distance Composability Adversary Models

Key Concepts in Quantum Security Proofs

What a Security Proof Actually Says

A security proof in cryptography is a mathematical reduction: it shows that if an efficient adversary can break the protocol, then an efficient algorithm can solve some problem that is assumed hard (e.g., factoring, Learning With Errors). The proof does not guarantee absolute security — it transfers the problem of breaking the protocol to the assumed-hard problem. If that assumption is later broken, the proof tells us nothing.

Three ingredients of every proof: (1) A security model that specifies what the adversary is allowed to do, (2) a security definition that specifies what it means to win, and (3) a reduction that transforms any adversary breaking the definition into a solver for the hard problem. Changing any of these three changes what the proof guarantees.

Quantum security proofs introduce new challenges: Classical reductions rely on techniques — such as rewinding a prover, programming a random oracle, or rewinding a simulator — that do not transfer to quantum adversaries. Quantum measurement disturbs state. Copying a quantum state is forbidden by no-cloning. Superposition queries to a hash function extract information inaccessible to classical adversaries. Each of these forces re-examination of classical proof machinery.

Trace Distance — The Fundamental Security Measure for QKD

For quantum key distribution, security cannot be measured purely by mutual information (the classical metric). Eve may hold a quantum state entangled with the key and delay her measurement until after the key is used — at which point classical information theory provides no bound on what she can learn. The correct measure is trace distance.

Given the joint state ρKE of the key K and Eve's system E at the end of the protocol, and the ideal state τK ⊗ ρE where the key is perfectly uniform and independent of Eve, composable security requires:

½ ‖ ρKE − τK ⊗ ρE1 ≤ ε

This trace distance bound ε quantifies how distinguishable the real key state is from a perfect key. Crucially, it bounds Eve's advantage in any task she might use the key for — including tasks involving her quantum memory and future quantum measurements. This makes it the correct metric for composable security proofs, unlike mutual information which only bounds what Eve can extract at a single fixed point in time.

Practical significance: BB84 with privacy amplification achieves ε exponentially small in the privacy amplification length. The finite-key regime — where Alice and Bob exchange a finite number of quantum states — requires careful accounting of smooth min-entropy, statistical estimation errors, and error correction leakage to establish a rigorous composable bound.

The Adversary Hierarchy — What Eve Is Allowed to Do

EVE'S ADVERSARIAL POWER — THREE ATTACK CLASSES STRICTLY MORE POWERFUL — each class contains the one to its left — Individual Attacks (weakest adversary model) ✓ Probes each photon independently attaches a separate ancilla to each signal ✗ No quantum memory must measure each ancilla before next signal ✗ No inter-round correlations rounds are independent Security proofs: Simplest to construct; informative but insufficient for practical deployment. Physically unrealistic today — weak quantum memories exist. Collective Attacks (standard security target) ✓ Independent interaction per round same Stinespring isometry each round ✓ Quantum memory stores all ancillas for collective measurement ✗ Each round's channel is identical no adaptive variation between rounds Security proofs: Tractable with entropic tools. Most QKD proofs achieve this level. Upgraded to coherent via de Finetti or post-selection technique. Coherent Attacks (most general — gold standard) ✓ Arbitrary interaction, all rounds arbitrary joint unitary over all signals ✓ Quantum memory + correlation stores entangled ancillae across all rounds ✓ Adapts to classical information uses error-correction leakage to improve attack Security proofs: Most difficult to prove. Required for composable security guarantees. BB84 (Renner 2005), CV-QKD (Leverrier 2015). The de Finetti theorem and post-selection technique allow reducing coherent attack proofs to collective attack proofs under permutation symmetry
Eve's attack power is stratified into three classes, each strictly containing the one before it. Individual attacks assume no quantum memory — a restriction no longer physically realistic. Collective attacks, the standard working assumption, allow a quantum memory but independent per-round interactions. Coherent attacks are the most general: Eve holds a joint quantum system across all rounds and can exploit classical side-information. Composable security requires proofs against coherent attacks.

The Real/Ideal World Paradigm

Comparison of real and ideal quantum cryptographic worlds showing Alice, Bob, and Eve with key distribution
In the real world (right), Alice and Bob exchange quantum states and classical messages; Eve holds a correlated quantum state. In the ideal world (left), Alice and Bob receive a perfect, uniformly random key with Eve holding nothing correlated to it. Security requires that no environment — no matter what it does after the protocol ends — can distinguish the real world from the ideal. Source: ResearchGate — CC-BY 4.0 — A Simple Security Proof for Entanglement-Based QKD

How the Paradigm Works

The real/ideal world paradigm is the foundation of modern simulation-based security proofs. Rather than defining security as a list of properties a protocol must satisfy, it asks a single question: can any computationally bounded environment tell the difference between interacting with the real protocol and interacting with an idealised, perfectly secure version?

The ideal functionality F is a trusted black box that captures the intended security properties in their purest form. For key distribution, F simply hands identical, uniformly random, secret keys to Alice and Bob while Eve receives nothing correlated. For a commitment scheme, F enforces both hiding and binding simultaneously and perfectly. F is the definition of what “secure” means for that task.

The real protocol π runs among the actual parties with no trusted third party. The adversary A attacks the real execution: delivering messages, corrupting parties, timing side channels. The simulator S is the mathematical tool used in the proof: it runs in the ideal world alongside F, with access only to F's inputs and outputs, and must generate a simulated transcript indistinguishable from A's real-world view.

The fundamental challenge in quantum proofs: Classical simulators use rewinding — they copy an adversary's state and re-run it from a checkpoint. The no-cloning theorem prohibits copying a quantum state. This means rewinding-based proof techniques fail against quantum adversaries, and new simulator constructions (such as straight-line simulators that never rewind) must be found for each protocol class. This is one of the deepest obstacles in quantum cryptographic security theory.

The Security Model Landscape — ROM, QROM, and UC

SECURITY MODEL COMPARISON — QUANTUM CRYPTOGRAPHY MODEL ADVERSARY'S HASH ACCESS COMPOSABILITY STRENGTH MAIN WEAKNESS Standard Model No idealised primitives N/A — hash functions modelled as concrete algorithms Standalone only ✓ Most rigorous no hash idealisation Few schemes provable; proofs often impossible ROM Random Oracle Model Classical queries only one input → one output per query Standalone, limited composition Widely deployed; enables many practical proofs Insecure against quantum adversaries with superposition QROM Quantum Random Oracle Model Quantum superposition queries adversary queries |ψ⟩ over many inputs Standalone; not inherently composable Post-quantum security; used in NIST PQC proofs New proof techniques needed; ROM proofs don't auto-lift Standalone Security Single isolated execution Model-dependent ✗ Not composable Simpler proofs; useful for analysis No security guarantee when used in larger protocols UC Framework Universal Composability Arbitrary — model-independent ✓ Fully composable security preserved in any context Gold standard; security holds under arbitrary concurrent execution Some tasks impossible (e.g. bit commitment in plain model)
A comparison of the main security models used in quantum cryptographic proofs. The progression from Standard Model through ROM, QROM, standalone, and UC reflects increasing generality and quantum-awareness. The UC framework offers the strongest composability guarantees but requires the heaviest proof machinery and makes some tasks provably impossible without setup assumptions.

The ROM and Its Quantum Problem

The Random Oracle Model (ROM), introduced by Bellare and Rogaway in 1993, models a hash function as an ideal random function accessible only as a black-box oracle. Proofs in the ROM show that if the oracle behaves randomly, the scheme is secure — a strong heuristic for well-designed hash functions. The ROM is extremely productive: schemes like RSA-OAEP, Schnorr signatures, and many others have clean ROM proofs but no standard-model alternative.

The quantum problem: In the ROM, the adversary makes classical queries: one input per query, one output. A quantum adversary can query the oracle in superposition — a single query evaluates the hash function on an exponential number of inputs simultaneously. This superposition access breaks the classical proof technique of “programming the oracle” (making the oracle return a specially crafted value at a key point), because programming requires knowing which input the adversary will query next, which measurement of a quantum state would disturb.

QROM (Boneh et al. 2011): The Quantum Random Oracle Model gives the adversary quantum superposition access to the oracle. Schemes proven secure in the QROM are heuristically secure against quantum adversaries. Critically, ROM-security does not imply QROM-security: there exist constructions that are provably secure in the ROM and provably insecure in the QROM. The NIST PQC process explicitly requires QROM security proofs for schemes that use hash functions as security-critical components.

Universal Composability — Security That Survives Composition

UC framework showing real world with protocol and adversary versus ideal world with ideal functionality and simulator
The UC framework (Canetti, 2001). Left: the real world, where parties execute protocol π and adversary A controls all communication. Right: the ideal world, where dummy parties interact with ideal functionality F and simulator S. UC-security means no efficient environment Z can distinguish the two worlds — regardless of what else Z is concurrently running. Source: ResearchGate — The Real World/Ideal World Paradigm in the UC Framework

Composability — Why Isolated Security Is Not Enough

The Composability Problem

Standalone security proves that a single, isolated execution of a protocol is secure. But real systems do not run in isolation. A QKD protocol generates a key that is then used by an encryption scheme. That encryption scheme runs alongside an authentication protocol. The entire stack runs on a network where hundreds of other protocols execute concurrently. Standalone security says nothing about this situation.

A concrete failure: Consider a QKD protocol proven secure using mutual information: the key K satisfies I(K ; E) ≈ 0 at the end of the protocol. Now Alice and Bob use K to encrypt a message M under the one-time pad. Eve holds a quantum state correlated with K. She delays her measurement. She now measures her state given M — using the encryption as a quantum side-channel. Mutual-information security provided no bound for this scenario because it measured Eve's information before the key was used. The proof was valid but the guarantee was useless for the actual application. Trace-distance composable security closes this gap by bounding Eve's advantage in any task using the key, including tasks involving her quantum memory and future measurements.

Sequential composition: In QKD, Alice and Bob may need to run multiple protocol rounds to generate a long key. Sequential composition ensures that running the protocol n times produces n composably secure key segments that can be concatenated. Without the sequential composition theorem, no argument of this kind is valid.

THE COMPOSABILITY CHAIN — WHY IT MATTERS FOR QKD 1. Quantum Channel BB84 / E91 states transmitted & measured. Eve holds quantum state correlated with raw bits. Coherent attack model required. 2. Error Correction Public reconciliation; leakage = leak bits. Eve now has leaked classical info AND her quantum state. Key rate reduced by leak bits. 3. Privacy Amplification Hash raw key to shorter secure key. Leftover hash lemma: min-entropy → trace distance bound. Composable security established here. 4. Composable Key K Trace distance ε from ideal uniform key. Security holds for any application, any concurrent protocol. One-time pad now provably secure. 5. Application Encryption, authentication, MPC subroutine… Composition theorem: security of K is inherited by application. Non-composable proofs break at Step 4: they bound mutual information I(K;E) which fails to account for Eve's quantum memory when she delays measurement until after Step 5. Trace distance composable proofs bound Eve's advantage in Step 5 directly.
The composability chain for QKD shows why each stage must be handled correctly. Error correction leaks classical information that Eve can combine with her quantum state. Privacy amplification then applies the leftover hash lemma to convert smooth min-entropy into a composable trace-distance bound. Only at Step 4 is the key truly composably secure: safe to use in any application, even one running concurrently with other protocols that Eve can adaptively influence.

The UC Framework for Quantum Protocols

Universal Composability (UC), formalised by Canetti (2001) and extended to the quantum setting by Ben-Or and Mayers (2004) and Unruh (2010), is the strongest composability guarantee available. A protocol π is UC-secure if it UC-realises an ideal functionality F: for every efficient adversary A in the real world, there exists an efficient simulator S in the ideal world such that no efficient environment Z can distinguish the two executions. The environment Z plays the role of any surrounding system the protocol might be embedded in — it is unboundedly adaptive in what it sends and observes.

The universal composition theorem states: if π UC-realises F, then replacing every call to F in any larger protocol ρ with a call to π produces a protocol that UC-realises whatever ρ realises. This modular substitution preserves all security guarantees, even in the presence of arbitrary concurrent protocol executions. It is the formal foundation for building cryptographic systems from independently proven components.

The quantum challenge to rewinding: The rewinding technique — a cornerstone of classical UC simulation — copies the adversary's internal state and re-runs it. No-cloning prohibits this for quantum adversaries. Unruh's quantum UC framework requires constructing straight-line simulators that never rewind: they interact with the adversary only in the forward direction, extracting needed information without state copies. This restricts which protocols admit quantum UC proofs and forces fundamentally new simulation arguments.

Evaluating Security Models — Strengths and Weaknesses

📐

Standalone Security

Strengths: Easier to prove; sufficient for analysis and understanding protocol structure; widely used in theoretical QKD literature.

Weaknesses: Security does not compose. A standalone-secure QKD protocol used inside a larger application may be completely insecure. Mutual-information-based standalone proofs are particularly fragile against quantum adversaries who delay measurement.

🔍

ROM / QROM

Strengths: QROM enables practical post-quantum proofs for hash-based constructions. Widely accepted; NIST PQC standards use QROM proofs. More provable schemes than standard model.

Weaknesses: Still a heuristic — hash functions are not true random oracles. ROM-security does not imply QROM-security. QROM proof techniques are technically demanding; many ROM proofs have no known QROM analogue.

🧱

UC Framework

Strengths: Gold standard for composability. Security holds under arbitrary concurrent execution. Modular design: prove components separately, compose freely. Captures quantum adversary capabilities fully via trace distance.

Weaknesses: Some tasks are provably impossible in the plain UC model without setup (e.g., classical bit commitment). Rewinding prohibition forces difficult straight-line simulator constructions. Proofs are significantly more complex than standalone or game-based alternatives.

⚠️

Finite-Key Regime

Strengths: Operationally realistic; asymptotic proofs cannot be deployed. Composable finite-key bounds tell implementers exactly how many quantum states to exchange for a target security level.

Weaknesses: Key rates are significantly lower than asymptotic predictions. Statistical estimation errors compound. For CV-QKD, the first composable finite-key proof against collective attacks (Leverrier 2015) required N ≈ 3.5×10⁸ coherent states — experimentally demanding.

The open problem: Classical UC and quantum UC are not the same framework. Extending UC to fully capture quantum protocols — including those where parties can send quantum states, not just classical messages — remains an active research area. Unruh's quantum UC framework handles this for many cases, but questions about the exact boundaries of what is and is not UC-realisable in the quantum setting, particularly for device-independent protocols, are open. Whether P = BPP (derandomization) has implications for whether quantum UC security can be reduced to classical UC security in certain settings.

Resources & Further Reading

Resources

Further Reading

The Rewinding Problem in Quantum Proofs

Classical security proofs rely on rewinding: the simulator copies an adversary's state and re-runs it from an earlier checkpoint to extract a witness or produce a consistent transcript. The quantum no-cloning theorem prohibits this. Quantum UC proofs therefore require straight-line simulators that interact with the adversary only in the forward direction — a much harder construction that restricts which protocols can be proven UC-secure and forces new algorithmic ideas. This is an active and largely open area of quantum cryptographic theory.