

























, Netherlands Organisation for Applied Scientific Research, Centrum Wiskunde & Informatica
Ronald Cramer, Centrum Wiskunde & Informatica, Leiden University
Serge Fehr, Centrum Wiskunde & Informatica, Leiden University
Yu-Hsuan Huang, Max Planck Institute for Security and Privacy
Bor de Kock, Netherlands Organisation for Applied Scientific Research
Jana Sotáková, Netherlands Organisation for Applied Scientific Research
It is obviously necessary that the security of post-quantum cryptographic schemes is based on computational problems that are hard to solve even with a quantum computer (unlike, e.g., factoring). Examples of such computational problems appear in the theory of lattices or in coding theory. However, this is not sufficient: also the security proof, which comes in the form of an algorithmic reduction that turns any hypothetical attacker into an algorithm that solves the considered hard computational problem, needs to be valid when considering quantum computing as the model of computation. In this work, we provide an overview of the hurdles one typically encounters when proving the security of post-quantum cryptographic schemes, and we elaborate on some of the mathematical techniques that have been developed in order to overcome these hurdles (to some extent). We also discuss the caveat that even when a security proof can be established (by reducing the security to a quantum-hard computational problem), the reduction often suffers from a larger reduction loss, compared to when proving classical security, which negatively affects the concrete security. In the second part of this work, we offer a survey of the respective reduction losses in (1) generic transformations that are often used in the design of cryptographic schemes (like the Fiat-Shamir and Fujisaki-Okamoto transformations), and (2) some concrete cryptographic schemes (with a focus on those standardized by NIST), when considering classical and when considering post-quantum security. Finally, we consider the notion of bit security, the standard measure of the concrete security of a cryptographic scheme (or of the hardness of an underlying computational problem). A natural question is how the bit security is affected by the different reduction losses we encountered. Surprisingly, we observe that a better or worse reduction (in terms of the reduction loss) is not always reflected as such in the bit security. We explain this phenomenon by the fact that the bit security is oblivious to the actual advantage–time function, and instead considers a worst-case behavior of that function. Thus, by exploiting the actual advantage–time function there is potential to get more accurate (i.e., less conservative) estimates for the concrete security.
BibTeX
@misc{cryptoeprint:2026/846,
author = {Thomas Attema and Ronald Cramer and Serge Fehr and Yu-Hsuan Huang and Bor de Kock and Jana Sotáková},
title = {A Survey on Security Reductions in Post-Quantum Cryptography},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/846},
year = {2026},
url = {https://eprint.iacr.org/2026/846}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。