Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University

Transcription

1 Secure Signatures and Chosen Ciphertext Security in a Quantu Coputing World Dan Boneh and Mark Zhandry Stanford University

2 Classical Chosen Message Attack (CMA) σ = S(sk, ) signing key sk

3 Classical CMA + Quantu Coputer (post-quantu CMA) Adversary has quantu coputing power: σ = S(sk, ) signing key sk Interactions reain classical classical proofs often carry through

4 This Talk: Quantu CMA Everyone is quantu quantu queries σ Superposition of all essages signing key sk Signatures on all essages Quantu interactions need quantu proofs Extends [ BDFLSZ 11, DFNS 11, Z 12a, Z 12b, BZ 13a ]

5 An Eerging Field Many classical security gaes have quantu analogs: Quantu secret sharing, zero knowledge [ DFNS 11 ] Quantu-secure PRFs [ Z 12b ] Quantu CMA for MACs [ BZ 13a ] Quantu-secure non-alleable coitents??? Quantu-secure IBE, ABE, FE??? Quantu-secure identification protocols???

6 Motivation Quantu world unforeseen exotic attacks? Use ost conservative odel Objection: can always classicalize queries Burden on hardware designer What if adversary can bypass? Quantu-secure crypto: no need to classicalize

7 Quantu Security: Signature Definition σ signing key sk q queries ( 0, σ 0 ),, ( q, σ q ) Existential forgery: q quantu queries q+1 (distinct) signatures

8 Building Quantu-Secure Signatures Separation: Theore: classical CMA secure schees that are not quantu CMA secure Difficulties in proving quantu security: Aborts see probleatic Reduction ust sign entire superposition correctly Existing proof techniques [ Z 12b, BZ 13a ] leave query intact Known liitations in quantu setting: MPC [ DFNS 11 ] Fiat-Shair in QROM [ DFG 13 ] Cannot prove security for unique signatures (Ex: Laport)

9 Building Quantu-Secure Signatures First attept: do classical constructions work? Exaples: Fro lattices [ CHKP 10, ABB 10 ] Using rando oracles [ BR 93, GPV 08 ] Fro generic assuptions [ Ro 90 ] Short answer: soeties yes, with sall odifications

10 Hash and Sign Many classical signature schees hash before signing: sk S h V H S σ Classical Advantages: Only sign sall hash ore efficient Weak security requireents for S if H odeled as rando oracle Our Goal: Prove quantu security of S assuing only classical security of S

11 Quantu Security of Hash and Sign H h sk V S σ ( 0, σ 0 ),, ( q, σ q ) Success prob: ε First Step: Siulate using only classical queries to S Proble: exponentially any h ust query S too any ties

12 Sall Range Distributions [ Z 12b ] Quantu siulation tool: Let P: M [r], Q: [r] H be rando functions P i Q h? H h Theore [ Z 12b ]: Q P H for large enough (polynoial) r

13 Step 1: Use S.R. Distribution for H sk P i Q h V S σ ( 0, σ 0 ),, ( q, σ q ) Success prob: ε/2 Now S only queried on r inputs Can siulate Next Step: Use one of the σ i as a forgery for S Proble: # of sigs ( q+1 ) << # of S queries ( r )

14 Interediate Measureent New quantu siulation technique: x in y out Success prob: σ in x y x t possible outcoes out Theore: Success prob: σ/t

15 Step 2: Measure Output of P P i i Q h sk V S σ ( 0, σ 0 ),, ( q, σ q ) Success prob: ε/2r q Only q queries to S One of the σ i ust be forgery for S Success probability non-negligible for constant q

16 Many-tie Secure Schee To sign each essage, draw A rando salt A pairwise indep function R sk S salt H R h r V S $ σ, salt Theore: If S is classical any-tie secure, then S is quantu any-tie secure

17 Other Signature Constructions Theore: (Slight variant of) GPV is quantu-secure Uses entirely different techniques Non-Rando Oracle Schees: Theore: Generic conversion using Chaeleon hash Theore: Collision resistance quantu-secure signatures Follow-up work: signatures fro one-way functions

18 Quantu Chosen Ciphertext Attack What if adversary can learn decryptions of superpositions of ciphertexts? c decryption key sk Adversary attepts to break classical seantic security

19 Quantu CCA Encryption Our results: Separation: Theore: classical CCA secure schees that are not quantu CCA secure Two constructions: Theore: OWF Syetric key quantu CCA Theore: LWE Public key quantu CCA

20 Suary & Open Probles Classical security does not iply quantu security Quantu-secure signatures: In the (quantu) rando oracle odel (inc. GPV sigs) Using a chaeleon hash Fro collision resistance Quantu CCA encryption: both syetric and public key Open Probles: Quantu security of Fiat Shair signatures? Quantu security of CBC-MAC, NMAC, PMAC?

21 Thanks!