Quantum Key Search with Side Channel Advice

Size: px

Start display at page:

Download "Quantum Key Search with Side Channel Advice"

Luke O’Brien’
5 years ago
Views:

1 Quantum Key Search with Side Channel Advice D Martin 1, A Montanaro 1, E Oswald 1 and D Shepherd 2 1 University of Bristol 2 National Cyber Security Centre 18 th August 2017 Quantum Key Search with Side Channel Advice Slide 1 of 12

2 Classical Cryptography A x y O k Quantum Key Search with Side Channel Advice Slide 2 of 12

3 Practical Cryptography L(k, x; r) A x y O k Quantum Key Search with Side Channel Advice Slide 3 of 12

4 Post-Quantum Cryptography A x y O k Quantum Key Search with Side Channel Advice Slide 4 of 12

5 Key Enumeration Definition: Distinguishing Vector k = (k 1,, k m ) k i {1,, n} w, n by m matrix output by side channel distinguisher w j,i Z + represents likelihood k i takes value j (smaller most likely) Score of a key is then m i=1 w k i,i Definition: Key Enumeration Given an n m weight matrix w and e Z, output the e keys with the lowest weights (breaking ties arbitrarily) Quantum Key Search with Side Channel Advice Slide 5 of 12

6 Key Enumeration Definition: Distinguishing Vector k = (k 1,, k m ) k i {1,, n} w, n by m matrix output by side channel distinguisher w j,i Z + represents likelihood k i takes value j (smaller most likely) Score of a key is then m i=1 w k i,i Definition: Key Enumeration Given an n m weight matrix w and e Z, output the e keys with the lowest weights (breaking ties arbitrarily) Quantum Key Search with Side Channel Advice Slide 5 of 12

7 Key Enumeration Example k k k w i,j k m n 1 n Figure : Score vectors for m key chunks Each subkey can take values from 1 to n, and scores w i,j are on a scale that depends on the side channel distinguisher Quantum Key Search with Side Channel Advice Slide 6 of 12

8 Key Enumeration Example k k k w i,j k m n 1 n Figure : Score vectors for m key chunks Each subkey can take values from 1 to n, and scores w i,j are on a scale that depends on the side channel distinguisher Quantum Key Search with Side Channel Advice Slide 6 of 12

9 Key Enumeration Example k k k w i,j k m n 1 n Figure : Score vectors for m key chunks Each subkey can take values from 1 to n, and scores w i,j are on a scale that depends on the side channel distinguisher Quantum Key Search with Side Channel Advice Slide 6 of 12

10 Key Enumeration Example k k k w i,j k m n 1 n Figure : Score vectors for m key chunks Each subkey can take values from 1 to n, and scores w i,j are on a scale that depends on the side channel distinguisher Quantum Key Search with Side Channel Advice Slide 6 of 12

11 Key Search Definition: Key Search Given an n m weight matrix w, a testing function T and e Z, output any k i, with i e, such that T(k i ) = 1 and k i would be output from enumeration, on input w and e If no such i exists output AES Testing Function T(x) = { 1 if AESx (m) = c 0 otherwise Quantum Key Search with Side Channel Advice Slide 7 of 12

12 Key Search Definition: Key Search Given an n m weight matrix w, a testing function T and e Z, output any k i, with i e, such that T(k i ) = 1 and k i would be output from enumeration, on input w and e If no such i exists output AES Testing Function T(x) = { 1 if AESx (m) = c 0 otherwise Quantum Key Search with Side Channel Advice Slide 7 of 12

13 A First Attempt - Grover s Algorithm Problem Definition Given N items x 1,, x N one of which is marked, return the marked item Time Complexity Classically: O(N) Grover s: O( N) Quantum Key Search with Side Channel Advice Slide 8 of 12

14 A First Attempt - Grover s Algorithm Problem Definition Given N items x 1,, x N one of which is marked, return the marked item Time Complexity Classically: O(N) Grover s: O( N) Quantum Key Search with Side Channel Advice Slide 8 of 12

15 A Second Attempt - Montanaro s Algorithm Problem Definition Given N items x 1,, x N, one of which is marked, and probabilities p 1,, p N return the marked item, where x i is the marked item with probability p i Expected Time Complexity Classically: O( N i=1 p i i) Montanaro s: O( N i=1 p i i) Algorithm Description 1 i 0 2 Select the next a i most likely x s 3 Pass them to Grover s 4 If item found return it, else increment i and repeat from 2 Quantum Key Search with Side Channel Advice Slide 9 of 12

16 A Second Attempt - Montanaro s Algorithm Problem Definition Given N items x 1,, x N, one of which is marked, and probabilities p 1,, p N return the marked item, where x i is the marked item with probability p i Expected Time Complexity Classically: O( N i=1 p i i) Montanaro s: O( N i=1 p i i) Algorithm Description 1 i 0 2 Select the next a i most likely x s 3 Pass them to Grover s 4 If item found return it, else increment i and repeat from 2 Quantum Key Search with Side Channel Advice Slide 9 of 12

17 A Second Attempt - Montanaro s Algorithm Problem Definition Given N items x 1,, x N, one of which is marked, and probabilities p 1,, p N return the marked item, where x i is the marked item with probability p i Expected Time Complexity Classically: O( N i=1 p i i) Montanaro s: O( N i=1 p i i) Algorithm Description 1 i 0 2 Select the next a i most likely x s 3 Pass them to Grover s 4 If item found return it, else increment i and repeat from 2 Quantum Key Search with Side Channel Advice Slide 9 of 12

18 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

19 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

20 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

21 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

22 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

23 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

24 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

25 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

26 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

27 The Third (and Final) Attempt - Utilising Our Key Rank Algorithm (AC:MOOS15) w = S Cumulative Weight Subkey # 2 A Quantum Key Search with Side Channel Advice Slide 10 of 12

28 Putting it all together High Level Algorithm 1 i 0 2 Choose weight W such that it contains approximately a i keys 3 Construct described graph with weight W 4 Construct testing function T which on input r, it looks up key r using the graph and passes it to T 5 Use Grover s with T 6 If item found return it, else increment i and repeat from 2 Discussion 1 If e keys are tested, time has a e improvement over classically 2 Does require a QRAM - however, it is fairly small (size independent of e) Take Away Points 1 Adding Quantum to Side Channels gives a square root speed up 2 Adding Side Channels to Quantum makes efficient key search possible Quantum Key Search with Side Channel Advice Slide 11 of 12

29 Putting it all together High Level Algorithm 1 i 0 2 Choose weight W such that it contains approximately a i keys 3 Construct described graph with weight W 4 Construct testing function T which on input r, it looks up key r using the graph and passes it to T 5 Use Grover s with T 6 If item found return it, else increment i and repeat from 2 Discussion 1 If e keys are tested, time has a e improvement over classically 2 Does require a QRAM - however, it is fairly small (size independent of e) Take Away Points 1 Adding Quantum to Side Channels gives a square root speed up 2 Adding Side Channels to Quantum makes efficient key search possible Quantum Key Search with Side Channel Advice Slide 11 of 12

30 Putting it all together High Level Algorithm 1 i 0 2 Choose weight W such that it contains approximately a i keys 3 Construct described graph with weight W 4 Construct testing function T which on input r, it looks up key r using the graph and passes it to T 5 Use Grover s with T 6 If item found return it, else increment i and repeat from 2 Discussion 1 If e keys are tested, time has a e improvement over classically 2 Does require a QRAM - however, it is fairly small (size independent of e) Take Away Points 1 Adding Quantum to Side Channels gives a square root speed up 2 Adding Side Channels to Quantum makes efficient key search possible Quantum Key Search with Side Channel Advice Slide 11 of 12

31 Questions? Full version available at eprintiacrorg/2017/171 Quantum Key Search with Side Channel Advice Slide 12 of 12

Quantum Key Search with Side Channel Advice

Quantum Key Search with Side Channel Advice Daniel P. Martin 1, Ashley Montanaro 2, Elisabeth Oswald 3, and Dan Shepherd 4 1 School of Mathematics, University of Bristol, Bristol, BS8 1TW, UK, and the