On Post-Quantum Cryptography

Transcription

1 On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar

2 Post-Quantum Cryptography Users intend to use classical devices to communicate Adversary may have a quantum computing device

3 Post-Quantum Cryptography Users intend to use classical devices to communicate Adversary may have a quantum computing device 1. Subtituite quantumly solvable problems (e.g. Factoring) with quantum hard assumption (e.g. Lattice)

4 Post-Quantum Cryptography Users intend to use classical devices to communicate Adversary may have a quantum computing device 1. Subtituite quantumly solvable problems (e.g. Factoring) with quantum hard assumption (e.g. Lattice) 2. Design cryptographic protocols based on them

5 Post-Quantum Cryptography Users intend to use classical devices to communicate Adversary may have a quantum computing device 1. Subtituite quantumly solvable problems (e.g. Factoring) with quantum hard assumption (e.g. Lattice) 2. Desing cryptographic protocols based on them 3. Prove the security of the protocols Classical Security techniques may not work E.g. Security proofs in the random oracle model Properties of hash functions Prove soundness considering new security notions (e.g. IND-qCPA)

6 Our contribution We proved the security of (slightly modified ) Fujisaki-Okamoto transform in the quantum random oracle model We studied the properties of hash functions in quantum case Indifferentiability from a random oracle Collision-resistance property for non uniform functions We studied the IND-qCPA security of modes of operation

7 Random δ G key priv Enc G δ H Randomness publ Enc pk Message m C 1 C 2 Fujisaki-Okamoto Transform

8 Random δ G key priv Enc G δ H Randomness publ Enc pk Message m C 1 C 2 Fujisaki-Okamoto Transform is IND-CCA Secure in ROM

9 Random oracles H, G Classical Adversary (pk) m 0, m 1 y = Enc hy (m b, randomness) Decryption queries (not y) Challenger (pk,sk) b $ {0,1} Outputs b and wins if b = b IND-CCA game in ROM

10 Random oracles H, G Quantum Adversary (pk) m 0, m 1 y = Enc hy (m b, randomness) Decryption queries (not y) Challenger (pk,sk) b $ {0,1} Outputs b and wins if b = b

11 Superposition access x,y α x,y x, y H x,y α x,y x, y H(x)

12 To prove IND-CCA in quantum random oracle model We modified the Fujisaki-Okamoto transform (adding a hash function) We need to study the properties of hash functions when adversay has superposition access to the hash function

13 δ Random δ Message m G key priv Enc G δ H Randomness publ Enc H pk C 1 C 2 C 3 Our modified version

14 H is added since list of input/output of queries are needed We need to reprogram the random oracle. (E.g. Replace G(δ) with a random element) One way to hidding lemmas by Unruh Finding a collision for Enc pk pub H will break the security We studied quantum collision propblem for non uniform functions

15 H is added since list of input/output queries are needed We need to reprogram the random oracle. (E.g. Replace G(δ) with a random element) One way to hidding lemmas by Unruh Finding a collision for Enc pub pk H will break the security We studied quantum collision propblem for non uniform functions Next slide

16 Quantum collision Problem f x y where y is chosen accodring to a distirbution D on [M] α x,y x, y x,y f :[N] [M] α x,y x, y f(x) x,y x 1 x 2 such that f(x 1 ) = f( x 2 ).

17 Our result For upper bounds: Mostly use Grover search algorithm For lower bounds: Reducing the problem to the quantum collision for an uniform function 1. Using the left over hash lemma 2. Write the distribution D as a convex combination of new distributions that are close to uniform

18 Our result For upper bounds: Mostly use Grover search algorithm For lower bounds: Reducing the problem to the quantum collision for a uniform function 1. Using the left over hash lemma 2. Write the distribution D as a convex combination of new distributions that are close to uniform Indifferentiability

19 Indifferentiability is stronger than collision-resistance For instance Bertoni et al, Prove the Indifferentiability of Sponge construction from a random oracle Then, collision-resistance is a corollary

20 Indifferentiability Definition Sponge(f) is indifferentiable from a random oracle H Private Interface Sponge(f) f Private Interface H Simulator D Public Interface D Public Interface

21 Indifferentiability in Quantum Setting Two constructions Sponge(f) and H are quantum indifferentiable Private Interface Sponge(f) f Private Interface H Simulator D Public Interface D Public Interface

22 Basis ={ 00, 01, 10, 11 } β 00 = 1 2 ( ) β 00 = 1 2 Entanglement Question: β 00 =? φ ψ β 00 = = a b c d = ad bc ac bd a 0, c 0 a = 0 or d = 0 b = 0 or c = 0 b 0, d 0 Contradiction!

23 Conjecture: Quantum Indifferentiability Is Not Achievable

24 Conjecture: Quantum Indifferentiability Is Not Achievable Queries to the public interface in the real case:

25 Conjecture: Quantum Indifferentiability Is Not Achievable Queries to the public interface in the real case: In the ideal case: If the quantum simulator makes the inner state entangled with the query register, the distinguisher will detect

26 Conjecture: Quantum Indifferentiability Is Not Achievable Queries to the public interface in the real case: In the ideal case: If the quantum simulator makes the inner state entangled with the query register, the distinguisher will detect Intuitively, this means that the quantum simulator is stateless and can not copy the query input

27 Conjecture: Quantum Indifferentiability Is Not Achievable Queries to the public interface in the real case: In the ideal case: If the quantum simulator makes the inner state entangled with the query register, the distinguisher will detect Intuitively, this means that the quantum simulator is stateless and can not copy the query input For a classical distinguisher, there is a classical stateless simulator

28 Conjecture: Quantum Indifferentiability Is Not Achievable Queries to the public interface in the real case: In the ideal case: If the quantum simulator makes the inner state entangled with the query register, the distinguisher will detect Intuitively, this means that the quantum simulator is stateless and can not copy the query input For a classical distinguisher, there is a classical stateless simulator and this is not possible for most of constructions NEXT SLIDE

29 Counting argument (by an example) The real case: The idea case: f: 0,1 c+r 0,1 r+c (Sim stateless (H), H) Sponge f : 0,1 0,1

30 Counting argument (by an example) The distinguisher can query the public interface (enough times) to construct Sponge f (x) Then, it queries the private interface to get Sponge f (x) (or H(x)) Checks if Sponge f (x) = Sponge f (x) (or = H(x))

31 Post-Quanutm Security of Modes of Operation Block cipher is used in Modes of Operation to encrypt longer messages IND-CPA notion is a security goal for Modes of Operation assuming the underlying block cipher is a PRF We studied the IND-qCPA security of Modes of Operation

32 IND-qCPA Quantum Adversary m 0, m 1 y = Enc hy (m b, randomness) Challenger (sk) b $ {0,1} Encryption queries Outputs b and wins if b = b

33 Our result

34 Future Works and Open Problems Proving the IND-CCA security of Fujisaki-Okamoto construction (without modification) in the quantum random oracle model or giving a quantum attack to Fujisaki-Okamoto construction. Is transformation from IND-qCPA to IND-qCCA possible in the quantum random oracle model? (using FO constructions for instance) The conjecture: quantum indifferentiability is not achievable can be proven?

35 Acknowledgment Thanks to to support my visit. Thanks to Dr. Christopher Portmann, Ms. Claudia Günthart to help me to get here. Thanks to ETH Information Security and Cryptography Group for a friendly and productive atmosphere.