Thanks Dan, this is an interesting result.
It may be worth breaking your new result down further. The
OW-CPA randomized PKE to OW-CPA deterministic T[PKE,G]
reduction takes place with an intermediate OW-PCA step. In
OW-PCA, the attacker gets q guesses via an oracle instead of
just one. (In the classical model this is the same as q-OW-CPA,
where the attacker gets q guesses at the end; in the quantum
model, it is not the same because the PCA oracle is typically
quantum accessible, and so can be attacked with Grover’s
algorithm.)
The OW-CPA to OW-PCA reduction is loose by a factor of q,
for exactly the reason shown in your new paper: if the attacker
can narrow the message down to k < q results, then it benefits
from q guesses. In the QROM it benefits by a factor of O(dq)
from Grover’s algorithm, where d <= q is the query depth.
The derandomization to OW-CPA T[PKE,G] step is tight in the
ROM. In the QROM it’s tight with respect to constants, but has
a square root loss at least if you use the double-sided one-way
to hiding lemma.
In any case, this reinforces what we already largely know about
the tightness of derandomization: it’s not enough if the attacker
can’t guess your plaintext in one guess; they must be unable to
guess it in q guesses (in the quantum case, via an oracle).
The corresponding reductions from IND-CPA, which is as you
mention a stronger assumption, is of the form (roughly)
Adv-OW-CPA(T[PKE,G]) <= Adv-IND-CPA(PKE) + (2q+1) / |M|.
In the QROM, it’s:
Adv-OW-CPA(T[PKE,G]) <= (d+2)(Adv-IND-CPA(PKE) + 8(q+1) / |M|).
This can be seen in your ElGamal example, which is plausibly
IND-CPA secure (against classical computers; for quantum ones
we can substitute CSIDH). Here the guessing attack, or in the
quantum case the Grover attack, comes from the second term in
the reduction: it’s an attack by guessing the message, and it does
correspond to the O(q/M) or O(dq/M) terms. These terms correspond
to a known attack (your attack in this paper), and are less threatening
because we already know to make |M| large for these reductions.
For this case, as far as I’m aware the (d+2) Adv-IND-CPA(PKE) term
in the QROM case does not correspond to a known attack, and so we
might hope to improve it, or to prove with a counterexample that this
is not possible. Perhaps someone already has; I’m not up-to-date on
the field.
Cheers,
— Mike