Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Transcription

1 OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016

2 Table of contents In CBC In CBC PRF under quantum 5 6

3 Being optimistic about the emergence of computer we want to evaluate the classical crypto-systems under by quantum adversaries. We analyze the cipher modes of operation. These modes are chosen as per the recommendations in 2013 ENISA[2] 1 report on encryption algorithms. In CBC 1 European Union Agency for Network and Information Security 2013.

4 In CBC Mode of Classical Standard (quantum) IND-qCPA? operation IND-CPA? IND-CPA? (with PRF) (with qprf) ECB no no no no CBC yes yes no yes CFB yes yes no yes OFB yes yes yes yes CTR yes yes yes yes XTS unknown unknown no in spirit unknown Table: Summary of our results. No in spirit means that there is an using superposition queries that does not formally violate IND-qCPA.

5 Standard Security [4] 2 In CBC 2 Mark Zhandry, FOCS 2012.

6 Security [4] 3 In CBC 3 Mark Zhandry, FOCS 2012.

7 IND-CPA Model In CBC

8 IND-qCPA Model[1] 4 In CBC 4 Dan Boneh and Mark Zhandry, CRYPTO 2013.

9 In CBC

10 We need to show that output of using a qprf is indistinguishable from truly random string. Define Enc i,h CBC (M). In CBC

11 In CBC Use O2H lemma to show that the distinguishing probability by any quantum adversary is negligible.

12 One way to hiding (O2H)[3] 5 In CBC 5 Dominique Unruh, eprint 2013.

13 Construction of Block cipher for CBC In CBC BC is a standard secure PRF for any quantum adversary given classical access to it and quantum access to H. BC has a collision such that x x : x (k 1) = x.

14 Proof Idea:Standard BC In CBC

15 Proof Idea:Standard BC Idea: to replace E in BC by a random function. if we replace key H(k) of E by a random key k, we can use O2H lemma. we define adversary A O2H and block cipher BC k w with E using random key. In CBC

16 Proof Idea:Standard BC We have the games as in O2H lemma In CBC

17 Proof Idea:Standard BC Game G0 is replaced by G2. In CBC

18 Proof Idea:Standard BC We now replace E by a random function Ẽ In CBC

19 Proof Idea:Standard BC The only difference between the two games is when same query is queried again. By fundamental lemma of games we get the probability to be negligible. In CBC

20 on using standard secure PRF In CBC BC has similar structure as function f and hence this weakness can be exploited to get key k.

21 Dan Boneh and Mark Zhandry. Secure signatures and chosen ciphertext security in a quantum computing world The definition of IND-qCPA only appear in this eprint, not in the conference version. (ENISA). In CBC Algorithms, key sizes and parameters report recommendations. and- trust/library/deliverables/algorithms-key-sizes-and-parameters-report, October Dominique Unruh. Revocable quantum timed-release encryption. IACR Cryptology eprint Archive, 2013:606, Mark Zhandry. How to construct quantum random functions. In 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, October 20-23, 2012, pages IEEE Computer Society, 2012.

22 THANK YOU!!! In CBC