Semantic Security and Indistinguishability in the Quantum World

Size: px

Start display at page:

Download "Semantic Security and Indistinguishability in the Quantum World"

Jasmine Hamilton
5 years ago
Views:

1 Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands 3 University of Amsterdam, CWI, QuSoft, The Netherlands Crypto Working Group, Utrecht, NL 24/03/2017

2 Introduction 2

3 Symmetric encryption E = (Kg, Enc, Dec) Plaintext m r Randomness Enc Ciphertext Secret key k Plaintext m Dec Ciphertext 3

4 Adversaries I: Classical Security E Adversary = probabilistic polynomial time (PPT) algorithm 4

5 Adversaries II: Post-Quantum Security E Adversary = bounded-error quantum polynomial time (BQP) algorithm 5

6 Adversaries III: Quantum Security E Adversary = bounded-error quantum polynomial time (BQP) algorithm 6

7 Why should we care? 1. Use in protocols 2. Quantum cloud 3. Quantum obfuscation 4. Side-channel attacks that trigger some measurable quantum behaviour 5. Oh, and because we can! 7

8 Semantic security (SEM) Simulation-based security notion Captures intuition: It should not be possible to learn anything about the plaintext given the ciphertext which you could not also have learned without the ciphertext. 8

9 Semantic security (SEM): Challenge phase (S n, h, f) (c, h(m)) m S n, c = Enc k m, A (f(m)) C A cannot do significantly better in the above game than a simulator S that does not receive c. 9

10 Indistinguishability (IND) (of ciphertexts) Pure game-based notion (no simulator) Easier to work with than SEM Intuition: You cannot distinguish the encryptions of two messages of your choice Shown to be equivalent to SEM! 10

11 Indistinguishability (IND): Challenge phase (m 1, m 2 ) c b R {0, 1}, c = Enc k m b, b A C A cannot output correct b with significantly bigger probability than guessing. 11

12 Chosen plaintext attacks (CPA) Adversary might learn encryptions of known messages To model worst case: Let adversary chose messages Can be combined with both security notions IND & SEM Normally: Learning phases before & after challenge phase 12

13 CPA Learning phase m c c = Enc k m A C A can ask q poly(n) queries in all learning phases. 13

14 IND-CPA Learning I m c c = Enc k m, A Learning II Challenge (m 1, m 2 ) c m c b R {0, 1}, c = Enc k m b, c = Enc k m, C Finish b A cannot output correct b with significantly bigger probability than guessing. 14

15 Quantum security notions 15

16 Previous work [BZ13] Boneh, Zhandry: "Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World", CRYPTO'13 Model encryption as unitary operator defined by: x,y x, y x,y x, y Enc k (x) (where Enc k ( ) is a classical encryption function) 16

17 Indistinguishability under quantum chosen message attacks (IND-qCPA) Give adversary quantum access in learning phase Classical challenge phase 17

18 IND-qCPA x, y (m 1, m 2 ) c x, y x, y Enc k (x) b R {0, 1}, c = Enc k m b, A x, y b x, y x, y Enc k (x) A cannot output correct b with significantly bigger probability than guessing. 18 C

19 Indistinguishability under quantum chosen message attacks (IND-qCPA) Give adversary quantum access in learning phase Classical challenge phase Can be proven strictly stronger than IND-CPA Why would you do this? If we assume adversary has quantum access, why not also when it tries to learn something new? 19

20 Fully-quantum indistinguishability under quantum chosen message attacks (fqind-qcpa) Give adversary quantum access in learning phase Quantum challenge phase 20

21 fqind-qcpa x, y A x 1, x 2, y x, y b x, y x, y Enc k (x) b R {0,1}, x 1, x 2, y x 1, x 2, y Enc k (x b ) x, y x, y Enc k (x) C A cannot output correct b with significantly bigger probability than guessing. 21

22 fqind is unachievable [BZ13] 22

23 fqind is unachievable [BZ13] 23

24 fqind is unachievable [BZ13] 24

25 [BZ13] & our contribution 25

26 [BZ13] & our contribution 26

27 How to define qind-qcpa? 27

28 How to define qind-qcpa? 28

29 How to define qind-qcpa? 29

30 How to define qind-qcpa? 30

31 Model: (O) vs (C) (O) (C) 31

32 Model: (Q) vs (c) (Q) (c) 32

33 Model: Type (1) vs type (2) Type (1) Type (2) 33

34 Quantum indistinguishability (qind) 34

35 Quantum indistinguishability (qind) 35

36 Separation example 36

37 Separation example 37

38 Separation example 38

39 Impossibility result 39

40 Impossibility result 40

41 The attack 41

42 The attack 42

43 The attack 43

44 The attack 44

45 The attack 45

46 The attack 46

47 The attack 47

48 The solution 48

49 The solution 49

50 The solution 50

51 The solution 51

52 The solution 52

53 Secure Construction 53

54 Conclusion 54

55 Thank you! Questions? 55

UvA-DARE (Digital Academic Repository) Semantic security and indistinguishability in the quantum world Gagliardoni, T.; Hülsing, A.; Schaffner, C.

UvA-DARE (Digital Academic Repository) Semantic security and indistinguishability in the quantum world Gagliardoni, T.; Hülsing, A.; Schaffner, C. Published in: Advances in Cryptology CRYPTO 2016 DOI: