Simulation-Secure Functional Encryption

• Simulation-secure functional encryption is a cryptographic paradigm defined via a real-vs-ideal framework where simulators reproduce adversary views using only function-output leaks.
• Impossibility results in both classical and quantum settings reveal information-theoretic compression barriers that make SIM-security unattainable in the plain model.
• Bounded storage models such as BQSM and BCSM enable practical simulation-based FE schemes by leveraging adversarial memory limits to bypass inherent compression constraints.

Simulation-secure functional encryption (SIM-FE) is a cryptographic paradigm that formalizes security via simulation in a “real-vs-ideal” sense, demanding that any attack on an actual encryption can be reproduced using only function-output leaks. This security notion is regarded as the gold standard for functional encryption (FE), but is generally unachievable in the plain model due to fundamental information-theoretic barriers. Recent research clarifies both the extent of these impossibility results—both classically and quantumly—and delineates models under which SIM-security becomes achievable, primarily via strong memory restrictions or specific complexity assumptions.

1. Formal Framework for Simulation-Secure Functional Encryption

SIM-FE is defined for a scheme $$\mathsf{FE}=(\mathsf{Setup},\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$$ over a function class $\mathcal{F}$. Security is captured via a real/ideal paradigm: in the real experiment, an adversary interacts with oracles for key generation and encryption; in the ideal experiment, a simulator, given only function-output pairs, must simulate the adversary’s view. SIM-security holds if an efficient simulator can render the real and ideal experiments computationally indistinguishable for all efficient adversaries: $$\Bigl\{\mathsf{Real}^{\mathsf{SIM}_{\mathcal{A},\lambda}}\Bigr\}_{\lambda} \approx_c \Bigl\{\mathsf{Ideal}^{\mathsf{SIM}_{\mathcal{A},\lambda}}\Bigr\}_{\lambda}$$ with variants determined by the number and adaptivity of ciphertext or key queries ($q$-$x$-$y$-$z$ notation). The quantum case generalizes this model by allowing keys and ciphertexts to be quantum states, quantifying indistinguishability in trace distance.

2. Impossibility Results in Classical and Quantum Settings

Classical impossibility of SIM-FE is well-established: even with one adaptive key and many ciphertext queries, simulation becomes information-theoretically impossible due to entropy bottlenecks. Central results demonstrate that these impossibility frontiers extend to the quantum regime (Barhoush et al., 24 Jan 2026):

• Unconditional quantum impossibility: No quantum FE scheme is $\mathsf{M}$-$1$-$\mathsf{AD}$-SIM secure; that is, simulation security fails when the adversary makes polynomially many ciphertext queries and one adaptive key query. This is tightly connected to quantum data compression: simulating such a view would require compressing $n$ uniformly random bits into fewer than $n$ qubits, violating Nayak–Salzman’s incompressibility bound.
• Impossibility under pseudorandom quantum states (PRQS): No succinct quantum SIM-FE exists even with a single ciphertext and one non-adaptive key query, assuming efficiently constructible families of pseudorandom quantum states. The simulation task becomes equivalent to compressing PRQS below their min-entropy, shown to be infeasible by quantum incompressibility arguments.
• Impossibility from classical public-key encryption: Under the existence of CPA-secure classical PKE, even secret-key QFE cannot achieve $1$-$\mathsf{M}$-$\mathsf{NA}$-SIM security. In this attack, the adversary leverages re-encryption to amplify its view into a compression problem for independent messages.

These impossibility proofs are rooted in quantitative compression lower bounds for quantum states: $$\bar F(\Phi)\le\frac{2^m+1}{2^n+1}=2^{m-n}+O(2^{-n}),$$ where $\Phi$ compresses $n$ qubits to $m$, revealing that high-fidelity recovery is exponentially infeasible.

3. Bounded Storage Models: Achieving Simulation Security

While SIM-FE is unattainable in the plain model, simulation-based security becomes achievable in bounded storage models (Barhoush et al., 2023). The two principal models are:

• Bounded Quantum Storage Model (BQSM): The adversary is limited to $s$ qubits at $r$ interaction points; honest parties must only have $q=O(\sqrt{s}/r)$ quantum memory. The main positive result is an explicit construction of an information-theoretic non-interactive FE scheme satisfying this bound. Theorem:

$$\exists~(s,r,q,c)\text{-BQSM-NI-FE}~\text{with}~q=O\left(\frac{\sqrt{s}}{r}\right).$$

This tradeoff is optimal; any such scheme for $(c+1)$-unlearnable circuit classes must have $q=\Omega(\sqrt{s/r})$. An additional interactive construction achieves $q=0$ and $r=1$ under standard one-way functions.

• Bounded Classical Storage Model (BCSM): The adversary is limited to $m$ bits of classical memory. Under the assumption of subexponential grey-box obfuscation, non-interactive FE schemes can achieve subexponential simulation-based security. Theorem:

$\exists~(m,\ell)\text{-BCSM-NI-FE}~\text{assuming}~(m',\subexp(\lambda))\text{-BCS-SGB},~m'<O(m+\ell)$

The assumption is minimal: grey-box obfuscation and SIM-secure FE are shown equivalent for this model.

4. Impact of Compression Barriers and Incompressibility

The unifying barrier to SIM-security—in both classical and quantum scenarios—is information-theoretic incompressibility. In the quantum case, the inability to compress arbitrary or pseudorandom quantum states (even with entanglement assistance) constrains the achievable security of FE schemes. A crucial lemma formalizes that if $n>2k$, no entanglement-assisted quantum protocol with $k$ qubits of communication can transmit $n$ random bits with non-negligible probability, precluding simulation.

Similarly, the quantum generalization of the classical barrier holds even in the presence of richer quantum resources, as the simulation task in the ideal experiment is fundamentally an infeasible state compression or data hiding task.

5. Cryptographic Assumptions and Open Directions

Classical impossibility relies on the existence of pseudorandom functions (PRF) to separate real and ideal attacks. The quantum extension demonstrates that pseudorandom quantum states, a potentially weaker assumption, suffice for the same negative result. Alternatively, public-key encryption assumptions yield independent impossibility proofs orthogonal to PRQS.

Open directions include:

• Identifying restricted circuit classes (e.g., preimage-sampleable circuits) or weakened leakage functions where quantum SIM-FE can be achieved.
• Developing schemes under bounded-memory or side-channel models, leveraging the demarcation that SIM-security is possible when classical or quantum storage limits are imposed.
• Clarifying the regime where the adversary makes one ciphertext query, one non-adaptive key query, followed by many adaptive keys; while classically feasible, quantum security in this setting remains unresolved.

6. Summary Table: Impossibility and Feasibility of SIM-FE

Model/Setting	Feasible?	Key Reference
Classical plain model	No (impossible)	(Barhoush et al., 24 Jan 2026)
Quantum plain model	No (impossible, matches classical)	(Barhoush et al., 24 Jan 2026)
BQSM ($q=O(\sqrt{s}/r)$)	Yes (IT SIM-secure, optimal tradeoff)	(Barhoush et al., 2023)
BQSM ($q=0, r=1$, OWFs)	Yes (computational, interactive)	(Barhoush et al., 2023)
BCSM (subexp obf.)	Yes (subexp-SIM-secure, min. assumption)	(Barhoush et al., 2023)

7. Discussion and Research Significance

Simulation-based security for functional encryption remains out of reach in the plain (classical or quantum) model due to robust information-theoretic bottlenecks rooted in state incompressibility, regardless of quantum capabilities. Positive results in bounded storage models indicate that practical cryptography may leverage hardware or operational constraints to bypass these barriers, and equivalence results tie the cryptographic power of SIM-FE in these models to longstanding primitives such as grey-box obfuscation.

These findings delineate the precise boundary between infeasibility and feasibility for simulation-secure functional encryption and highlight foundational connections among quantum information theory, cryptographic complexity, and the structural properties of classical and quantum state spaces. The search for new tractable classes or alternative models remains a significant line of inquiry for both theoretical investigation and the design of practical privacy-preserving cryptosystems.