Quantum-secure symmetric-key cryptography based on Hidden Shifts

Transcription

1 Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering University of Connecticut arxiv:

2 quantum computation + cryptography Typical post-quantum crypto: quantum adversary cryptosystem classical Classical crypto in quantum world: quantum adversary cryptosystem classical Fully-quantum crypto: quantum adversary cryptosystem

3 quantum access? Classical functions on a quantum computer Let f: 0,1 n 0,1 m be some function. Quantum generalizes classical, so we can implement f on our quantum computer. How? 1. x, y (x, y f x ) [turn into reversible function] 2. x y x y f x [run circuit on your quantum computer] But wait now we can plug in non-classical inputs: α xy x y α xy x y f x x,y x,y E.g., can prepare uniform superposition of values: x f x x (x, f x ) for random x??

4 quantum access? Recall CPA: Some protocol involving an encryption scheme Enc, Dec Enc k A classically: Enc k implements the map: x Enc k x ; what happens if A can run this map quantumly? then A gets quantum oracle: x y x y Enc k x and can run it on non-classical inputs! x Enc k x?? x

5 quantum access: is it realistic? In some settings, quantum oracles make perfect sense: public-key encryption: pk encrypt circuit hash functions: algorithm exposing code: obfuscated circuit reversible circuit In other settings, this might depend on the model, or the physics: private-key encryption (can device act coherently? frozen smart card [GHS16]) authentication and signatures (can user be fooled into signing superposition?) In any case: the model is of theoretical interest!

6 is *anything* secure in this model? Yes: pseudorandomness still exists! [GGM84] construction yields PRFs {f k } which are quantum oracle secure [Zha12]. Authentication [BZ13]: Uniformly random key k for f k ; MAC k m = f k m. Encryption [BZ13]: Uniformly random k for f k ; Enc k m = r, f k r m. Maybe everything is ok, even in this model?

7 quantum oracle attacks: an example Simplest block cipher [EM97, DKS11]: 1. Fix public, random permutation P: 0,1 n 0,1 n ; 2. Uniformly random key: k R 0,1 n ; 3. Encrypt: E k x = P x k k. k k x P E k (x) Security: E k is strongly pseudorandom (even if adversary has P, P 1, E k, E 1 k.) can t decrypt; can t forge input/output pairs, etc.

8 quantum oracle attacks: an example Simplest block cipher [EM97, DKS11]: k k E k x = P x k k. x P E k (x) Quantum attack [KM12]: 1. Form oracle f x = P x E k x ; 2. Apply Simon s algorithm on f and output result. Why does it work? f x = P x P x k k = f(x k) This is Simon s promise attack will output k! simple predecessor to Shor Given: oracle access to f; Promise k s.t. f x = f(y) iff y = x k; Output: k Devastating: complete key recovery with only O(n) queries, space and time! Simple variants also break: 3-round Feistel [KM10], Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, [KLLN16, SS16].

9 what is really at the core: hidden shift The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, if viewed in a certain way, all the attacks first build a pair of shifted functions: f x = g(x k) and then apply Simon s algorithm to f x g(x). well-known to quantum algorithms community! Hidden Shift Problem (HS). Fix a finite group G. Given oracles for injective f, g: G S and a promise that s G such that f x = g(x s) for all x G, output s. f g

10 hidden shift problem Classically: requires exponentially-many queries [in n = log( G ) ]. Quantumly: efficiently solvable for G = Z 2 n (Simon). For most other groups, Hidden appears Shift Problem to be hard. (HS). Fix a finite group G. Given oracles for injective f, g: G S Cyclic groups: (e.g., and Z 2 n) a promise that s G such that f x = g(x s) for all x G, output s. best quantum algorithm takes 2 O n time [Kup03]. only idea we have ( coset sampling ) : if it works, then UniqueSVP BQP [Reg02]. Symmetric groups: (i.e., S n ) no subexp algorithms known; coset sampling unlikely to give even subexp algorithms [MR05, MRS07].

11 hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, Generic fix: select an exponentially-large group (family) G (e.g., cyclic Z 2 n, dihedral D m, symmetric S n, Lie-type SL 2 (F q ), ) replace input/output spaces with G (or a power of G). replace bitwise XOR operation with group operation on G. Sanity check [AH17]: this does not affect classical security or classical-access security against quantum adversaries.

12 hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, Generic fix: select an exponentially-large group (family) G (e.g., cyclic Z 2 n, dihedral D m, symmetric S n, Lie-type SL 2 (F q ), replace input/output spaces with G (or a power of G). replace bitwise XOR operation with group operation on G. Example 1: Even-Mansour. 1. Fix public, random permutation P: G G; 2. Select key: k R G; 3. Encrypt: E k x = P x k k. k k x P E k (x) : G G G

13 hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, Generic fix: select an exponentially-large group (family) G (e.g., cyclic Z 2 n, dihedral D m, symmetric S n, Lie-type SL 2 (F q ), replace input/output spaces with G (or a power of G). replace bitwise XOR operation with group operation on G. Example 2: Feistel network. 1. Choose pseudorandom function R: 0,1 n G G; 2. Choose keys k j R 0,1 n, set R j R kj ; 3. Build pseudorandom permutation on G G: R 1 R R 3 + : G G G

14 hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, Generic fix: select an exponentially-large group (family) G (e.g., cyclic Z 2 n, dihedral D m, symmetric S n, Lie-type SL 2 (F q ), replace input/output spaces with G (or a power of G). replace bitwise XOR operation with group operation on G. Example 3: Encrypted-CBC-MAC. 1. Fix keyed, pseudorandom permutation E: 0,1 n G G; 2. Select key pair: k, k 1 R 0,1 n ; 3. Decompose message m G l into blocks m j G. 1 + E k + E k E k E k : G G G

15 main results Is this generic fix a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. Theorem 1. The Hidden Shift Problem is random self-reducible.

16 main results Is this generic fix a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. randomized version RHS where f is random and g is a shift; QPT = quantum polynomial-time algorithm. Theorem 1. RHS is random self-reducible. That is, if there exists a QPT which solves RHS for a 1/poly-fraction of inputs, then there exists a QPT which solves RHS and HS for all but a negligible fraction of inputs. Proof idea: Use the 1/poly-fraction QPT to explore the entire space of instances, by: 1. randomizing shifts by pre-composing f (but not g) with a random shift; 2. randomize outputs by post-composing both f and g with a qprf; 3. repeat with fresh randomness, and a fresh qprf key poly-many times; 4. test any outputs of the QPT by random sampling and checking.

17 main results Is this generic fix a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. Theorem 2. The decision and search version of HS are equivalent.

18 main results Is this generic fix a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. Decision version (DRHS). Decide: (i.) f is random, g is a shift, or (ii.) f, g are random. Theorem 2. Suppose G has an efficient subgroup series (e.g., Z 2 n or S n.) Then there exists a QPT* for DRHS if and only if there exists a QPT* for RHS. Proof idea: RHS DRHS is obvious (note: can amplify here.) DRHS RHS. Descend subgroup tower G m G m 1 G 1 recursively. 1. for each transversal element α, call DRHS on f and g L α restricted to G m 1 ; 2. exactly one value of α (say, β m ) will result in shift; 3. recursively call algorithm on next level down with restrictions of f and g L βm ; 4. output product β m β m 1 β 1. * - with at most 1/poly completeness and soundness error

19 main results Is this generic fix a good idea? 2. It frustrates all known Simon attacks. The Simon attack on the Hidden Shift variants of all aforementioned schemes requires a subroutine for efficiently solving the RHS problem over the relevant group family. By our theorems + previous results, this would yield: (worst-case) quantum algorithm for Hidden Shift; (worst-case) quantum algorithm for Hidden Subgroup Problem; (over Z d ) possible poly-time quantum attacks on lattice crypto [Regev02]; (over S n ) simple poly-time quantum algorithms for Graph Isomorphism; (over S n ) efficient attacks on known-code version of McEliece [DMR10].

20 main results Is this generic fix a good idea? 3. In some cases, we can prove security reductions. HS assumption: there does not exist a polynomial-time quantum algorithm for the Hidden Shift problem which succeeds on all instances. Theorem 3 [AR16]. Under the HS assumption, the Hidden Shift Even-Mansour cipher is pseudorandom. Theorem 4 [AR16]. Under the HS assumption, the Hidden Shift Encrypted-CBC-MAC is collision-free.

21 conclusions In the quantum oracle security model previous results: many standard schemes (Even-Mansour, Feistel, CBC-MAC, etc.) are broken; we identified an easy generic patch: replace bitwise XOR with modular addition; quantum-resistance of resulting schemes is connected to Hidden Shift and Hidden Subgroup Problem; in some cases via rigorous security reductions; this crypto view on HS and HSP led to some new results on their algorithmic hardness! What s next? what else is broken in this model? can HS or HSP serve as a basis for other quantum-secure crypto? gain confidence in our security notions for encryption, authentication, signatures, etc. Thanks!