Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

Size: px

Start display at page:

Download "Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms"

Magnus Hodges
5 years ago
Views:

1 Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct Nov. 3, 2016 Joint work with Dominique Unruh

2 Motivation: Post-Quantum Cryptography Users intend to use classical cryptographic schemes, however, the adversary has the quantum computing power. 1 [Ambainis, Rosmanis and Unruh, Quantum attacks on classical proof systems (the hardness of quantum rewinding), FOCS 2014]

3 Motivation: Post-Quantum Cryptography Users intend to use classical cryptographic schemes, however, the adversary has the quantum computing power. 1 Quantum hard problems are needed. 1 [Ambainis, Rosmanis and Unruh, Quantum attacks on classical proof systems (the hardness of quantum rewinding), FOCS 2014]

4 Motivation: Post-Quantum Cryptography Users intend to use classical cryptographic schemes, however, the adversary has the quantum computing power. 1 Quantum hard problems are needed. 2 Design cryptographic schemes based on them. 1 [Ambainis, Rosmanis and Unruh, Quantum attacks on classical proof systems (the hardness of quantum rewinding), FOCS 2014]

5 Motivation: Post-Quantum Cryptography Users intend to use classical cryptographic schemes, however, the adversary has the quantum computing power. 1 Quantum hard problems are needed. 2 Design cryptographic schemes based on them. 3 Prove quantum security: classical security may not work. 1 [Ambainis, Rosmanis and Unruh, Quantum attacks on classical proof systems (the hardness of quantum rewinding), FOCS 2014]

6 Motivation: Post-Quantum Cryptography Users intend to use classical cryptographic schemes, however, the adversary has the quantum computing power. 1 Quantum hard problems are needed. 2 Design cryptographic schemes based on them. 3 Prove quantum security: classical security may not work. E.g. Security proofs in the Random Oracle Model. 1 [Ambainis, Rosmanis and Unruh, Quantum attacks on classical proof systems (the hardness of quantum rewinding), FOCS 2014]

7 Motivation: Post-Quantum Cryptography Users intend to use classical cryptographic schemes, however, the adversary has the quantum computing power. 1 Quantum hard problems are needed. 2 Design cryptographic schemes based on them. 3 Prove quantum security: classical security may not work. E.g. Security proofs in the Random Oracle Model. Relative to a specific oracle, the Fiat-Shamir transform is insecure in the quantum setting. 1 1 [Ambainis, Rosmanis and Unruh, Quantum attacks on classical proof systems (the hardness of quantum rewinding), FOCS 2014]

8 Our contribution Security of the slightly modified Fujisaki-Okamoto and OAEP transforms in the Quantum Random Oracle Model.

9 Random Oracle Model in quantum setting f Adversary Quantum Setting: Cryptographic Scheme 2 2 [Boneh et al. Random Oracles in a Quantum World. ASIACRYPT 2011]

10 Fujisaki-Okamoto (FO) transform Random δ G key priv Enc G δ H Randomness publ Enc pk Message m C 1 C 2

11 Fujisaki-Okamoto (FO) transform: properties of its ingredients The private-key encryption encryption scheme is One-Time secure.

12 Fujisaki-Okamoto (FO) transform: properties of its ingredients The private-key encryption encryption scheme is One-Time secure. The public-key encryption encryption scheme is One-Way secure.

13 Fujisaki-Okamoto (FO) transform: properties of its ingredients The private-key encryption encryption scheme is One-Time secure. The public-key encryption encryption scheme is One-Way secure. The public-key encryption encryption scheme if Well-Spread.

14 Fujisaki-Okamoto (FO) transform: properties of its ingredients The private-key encryption encryption scheme is One-Time secure. The public-key encryption encryption scheme is One-Way secure. The public-key encryption encryption scheme if Well-Spread. Security: IND-CCA secure in the Random Oracle Model

15 Fujisaki-Okamoto (FO) transform: properties of its ingredients The private-key encryption encryption scheme is One-Time secure. The public-key encryption encryption scheme is One-Way secure. The public-key encryption encryption scheme if Well-Spread. Security: IND-CCA secure in the Random Oracle Model Question: What about security in the Quantum Random Oracle Model (QROM)?

16 IND-CCA in the QROM Random oracles H, G Quantum Adversary (pk) m 0, m 1 y = Enc hy (m b, randomness) Decryption queries (not y) Challenger (pk,sk) b $ {0,1} Outputs b and wins if b = b

17 Challenges in the Quantum setting FO: Enc hy pk (m; δ) = ( Enc publ pk ( δ; H ( δ Enc priv G(δ) (m))), Enc priv G(δ) (m) ) Security techniques used in the classical proof:

18 Challenges in the Quantum setting FO: Enc hy pk (m; δ) = ( Enc publ pk ( δ; H ( δ Enc priv G(δ) (m))), Enc priv G(δ) (m) ) Security techniques used in the classical proof: 1 List of (δ, H(δ)) and (δ, G(δ)) are needed!

19 Challenges in the Quantum setting FO: Enc hy pk (m; δ) = ( Enc publ pk ( δ; H ( δ Enc priv G(δ) (m))), Enc priv G(δ) (m) ) Security techniques used in the classical proof: 1 List of (δ, H(δ)) and (δ, G(δ)) are needed! 2 Reprogramme the random oracle: E.g. They use some random elements instead of a given output G(δ ) and H(δ.)!

20 Challenges in the Quantum setting FO: Enc hy pk (m; δ) = ( Enc publ pk Security techniques used in the classical proof: 1 List of (δ, H(δ)) and (δ, G(δ)) are needed! ( δ; H ( δ Enc priv G(δ) (m))), Enc priv G(δ) (m) ) 2 Reprogramme the random oracle: E.g. They use some random elements instead of a given output G(δ ) and H(δ.)! 3 Finding x x st. Enc publ pk (δ ; H(x)) = Enc publ pk (δ ; H(x )) is hard!

21 Challenges in the Quantum setting FO: Enc hy pk (m; δ) = ( Enc publ pk Security techniques used in the classical proof: 1 List of (δ, H(δ)) and (δ, G(δ)) are needed! ( δ; H ( δ Enc priv G(δ) (m))), Enc priv G(δ) (m) ) 2 Reprogramme the random oracle: E.g. They use some random elements instead of a given output G(δ ) and H(δ.)! 3 Finding x x st. Enc publ pk (δ ; H(x)) = Enc publ pk (δ ; H(x )) is hard!

22 Solutions to the Challenges 1 List of (x, H(x)) and (x, G(x)) are needed! Add ( H (δ) to the ciphertext ( Enc asy pk δ; H ( ) δ Enc sy G(δ) (m))), Enc sy G(δ) (m), H (δ). 3 [Unruh, Revocable quantum timed-release encryption, Eurocrypt 2014 ] 4 [Ebrahimi Targhi, Tabia, Unruh. Quantum Collision-Resistance of Non-uniformly Distributed Functions. PQCrypto 2016]

23 Solutions to the Challenges 1 List of (x, H(x)) and (x, G(x)) are needed! Add ( H (δ) to the ciphertext ( Enc asy pk δ; H ( ) δ Enc sy G(δ) (m))), Enc sy G(δ) (m), H (δ) 2 It uses a random element instead of a given output H(δ) or G(δ)! Using One-way to hiding Lemmas 3 as a tool to reprogramme the random oracle. 3 [Unruh, Revocable quantum timed-release encryption, Eurocrypt 2014 ] 4 [Ebrahimi Targhi, Tabia, Unruh. Quantum Collision-Resistance of Non-uniformly Distributed Functions. PQCrypto 2016]

24 Solutions to the Challenges 1 List of (x, H(x)) and (x, G(x)) are needed! Add ( H (δ) to the ciphertext ( Enc asy pk δ; H ( ) δ Enc sy G(δ) (m))), Enc sy G(δ) (m), H (δ) 2 It uses a random element instead of a given output H(δ) or G(δ)! Using One-way to hiding Lemmas 3 as a tool to reprogramme the random oracle 3 Finding x x st. Enc asy pk (δ; H(x)) = Encasy pk (δ; H(x )) is hard! The collision-resistance of random functions with outputs sampled from a non-uniform distribution 4. 3 [Unruh, Revocable quantum timed-release encryption, Eurocrypt 2014 ] 4 [Ebrahimi Targhi, Tabia, Unruh. Quantum Collision-Resistance of Non-uniformly Distributed Functions. PQCrypto 2016]

25 Solutions to the Challenges 1 List of (x, H(x)) and (x, G(x)) are needed! Add ( H (δ) to the ciphertext ( Enc asy pk δ; H ( ) δ Enc sy G(δ) (m))), Enc sy G(δ) (m), H (δ) 2 It uses a random element instead of a given output H(δ) or G(δ)! Using One-way to hiding Lemmas 3 as a tool to reprogramme the random oracle 3 Finding x x st. Enc asy pk (δ; H(x)) = Encasy pk (δ; H(x )) is hard! The collision-resistance of random functions with outputs sampled from a non-uniform distribution 4 Comment: The same proof techniques work for OAEP transform 3 [Unruh, Revocable quantum timed-release encryption, Eurocrypt 2014 ] 4 [Ebrahimi Targhi, Tabia, Unruh. Quantum Collision-Resistance of Non-uniformly Distributed Functions. PQCrypto 2016].

26 Question? Thank you!

On Post-Quantum Cryptography

On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend