Classical Encryption and Authentication under Quantum Attacks

Transcription

1 Classcal Encrypton and Authentcaton under Quantum Attacks arxv: v1 [cs.cr] 14 Jul 2013 Mara Velema July 12, 2013 Abstract Post-quantum cryptography studes the securty of classcal,.e. non-quantum cryptographc protocols aganst quantum attacks. Untl recently, the consdered adversares were assumed to use quantum computers and behave lke classcal adversares otherwse. A more conservatve approach s to assume that also the communcaton between the honest partes and the adversary s (partly) quantum. We dscuss several optons to defne secure encrypton and authentcaton aganst these stronger adversares who can carry out superposton attacks. We re-prove a recent result of Boneh and Zhandry, statng that a unformly random functon (and hence also a quantum-secure pseudorandom functon) can serve as a message-authentcaton code whch s secure, even f the adversary can evaluate ths functon n superposton.

2 Acknowledgements I would lke to thank my supervsor Chrstan Schaffner for workng together after makng me nterested wth hs course on cryptography. I am grateful for hs patence and ddactc gudance through the complex proofs durng my project. Hs help and confdence made ths result possble. I want to thank Ronald de Wolf for notcng the relaton between the theorem of Boneh and Zhandry and Farh s result. Apart from playng ths crucal role, he made some very mportant comments. I also want to thank the other members of the thess commttee, Alexandru Baltag and Serge Fehr, for takng the tme to read my thess and for correctng some detals. I thank both Gerrt and Frank for ther useful (and funny) comments from a dfferent pont of vew. Fnally, I want to thank Ncole and Peter-Paul for studyng together at the ktchen table.

3 Contents 1 Introducton 1 2 Prelmnares 3 3 Cryptography Introducton Mathematcal Securty Encrypton Authentcaton Pseudorandomness Quantum Computng Introducton Techncal Framework Entanglement Query Model Quantum Securty Models Encrypton Authentcaton Quantum-Secure Authentcaton Man Result Proof of Theorem Applcatons of Theorem Concluson and Further Research 44

4 1 Introducton To be prepared for a future n whch quantum computers have sgnfcant computng power but are not avalable to all users of cryptographc protocols, we need to study the securty of classcal (.e. non-quantum) schemes aganst quantum attacks. Usually n the feld of post-quantum cryptography, t s assumed that the honest partes are fully classcal and the attackers or adversares use quantum computers. Ths scenaro can be generalzed by droppng the assumpton that the honest partes can compute and communcate only classcally. An mportant argument to do ths s the fact that the world, as physcal theores descrbe t nowadays, s not classcal but quantum; although some devces are desgned to work classcally, they may leak quantum nformaton under certan condtons. It s also concevable that honest partes do use quantum computng, to speed up some computatons, but stll use classcal schemes nstead of quantum cryptography only. Snce classcal computng s a specal form of quantum computng, consderng quantum mplementatons of classcal schemes captures a broader class of scenaros. Notons of (classcal) securty are defned by means of a game between a challenger and an adversary. Dfferent optons to model the abltes of the adversares lead to varous securty defntons. Damgård et al. [DFNS11] consder superposton attacks on some cryptographc protocols where communcaton between the honest players and the adversares can be quantum. The protocols they dscuss are secret sharng, zero-knowledge protocols and multparty computaton. Boneh and Zhandry [BZ13b] defne quantum securty games that model the case n whch (part of) the communcaton s quantum, for both prvate-key and publc-key encrypton and authentcaton. They buld upon earler work n whch pseudorandom functons are quered n superposton [Zha12]. Ther research extends the deas of the paper on quantum accessble random oracles [BDF + 11]. As Damgård et al. pont out, there s an mportant dfference between superposton attacks on functons 1

5 that are mplemented by the adversary herself and superposton attacks on protocols run by the honest party. It seems to be smlar, because both attacks are modelled n terms of oracles that may be quered n superposton. In the second case however, the adversary trcks the honest party to act lke an oracle and some communcaton takes place, whereas n the frst case the oracle s a subroutne of the algorthm that s modelled as black box. It s not always clear how (unntended) quantum communcaton between the adversary and the honest partes should be modelled. In partcular, s t plausble that the adversary s able to create quantum entanglement wth the sender? Superposton queres to an oracle are usually modelled so that t results n a state ncludng the query and the answer. To end up n a smlar state usng quantum communcaton wth the honest party, the adversary has to create a regster that s entangled wth the queston. Whle the honest party s answerng, he shares entanglement wth the adversary. In ths thess, we dscuss the securty defntons Boneh and Zhandry proposed n [BZ13b] and we suggest an alternatve defnton for quantum secure encrypton, whch uses apart from superposton oracle access also quantum communcaton wthout entanglement. We leave open the queston whether ths defnton s equvalent to that of Boneh and Zhandry or strctly stronger, and whether t s feasble at all (.e. whether there exst an encrypton scheme that s secure n ths sense). The techncal part of the thess s focussed on Message Authentcaton Codes (MACs) from pseudorandom functons under superposton attacks. We re-prove the theorem proved by Boneh and Zhandry [BZ13a] statng that a unformly random functon, and therefore also a pseudorandom functon, can serve as a MAC whch s secure, even f the adversary has superposton oracle access to ths functon. Formulated as a game t says that, except wth neglgble probablty, t s mpossble for any adversary to output q + 1 nput-output pars of the oracle functon after makng q superposton queres. Our approach to prove the theorem s based on the quantum polynomal method [BBC + 97]. We follow the outlne of the proof of an earler result from quantum computng and generalze ths result. Chapter 2 gves a lst of some basc notaton and defntons. Chapter 3 s a general ntroducton to cryptography and Chapter 4 ntroduces some basc concepts of quantum computng and some more specfc constructons that we wll use n Chapter 6. In Chapter 5 we dscuss how to model quantum attacks and Chapter 6 conssts of the new proof of Boneh and Zhandry s theorem and some applcatons of t. Chapter 7 concludes and ponts out some nterestng questons for future research. 2

6 2 Prelmnares In ths chapter we lst some mathematcal notaton we use, and we defne some basc concepts from probablty theory and computatonal complexty. We use the followng notatons for n N: The set of all bt strngs of length n s denoted by {0, 1} n. {0, 1} denotes the bt strngs of any fnte length. [n] s the set of natural numbers from 0 to n 1. numbers from 1 to n 1 (or [n]\{0}). Y X s the set of functons f : X Y. [n] denotes the The btwse XOR s denoted as and s the operaton that adds two bts modulo 2. Btwse means that the operaton s appled on bts n the same poston. For example: = 10. Defnton 2.1 A weght assgnment on a set S s a functon D : S R that assgns a value to each element n the set. We can assume that the values always sum up to one (f not, we scale the values). A probablty dstrbuton s a weght assgnment of whch all values are non-negatve and thus can be seen as probabltes. Note that n some cases we mplctly assume that all outcomes that are assgned wth probablty zero are excluded from the set. When a dstrbuton s sampled, that s: an element of the set s randomly chosen accordng to the dstrbuton, we wrte r S. If the dstrbuton s not explctly mentoned, the unform dstrbuton s assumed. In ths thess we only consder dstrbutons over fnte sets. Defnton 2.2 A functon ε : N R >0 s neglgble f ɛ decreases faster than any nverse polynomal: c > 0 N c N such that n > N c t holds that ε(n) < 1 n c 3

7 Equvalent to Turng Machnes, every computaton can be modelled by a (unform famly of) Boolean crcuts of certan basc Boolean operatons called gates. Defnton 2.3 For every n N, an n-nput, sngle-output Boolean crcut s a drected graph wth n sources (vertces wth no ncomng edges) and one snk (vertex wth no outgong edges). All nonsource gates are labelled wth a logcal operaton OR, AND or NOT. The sze of a crcut s the number of vertces n t. (Arora and Barak [AB09]) If an algorthm has access to some oracle, then the crcut contans query gates n addton. Ths means that queryng the oracle costs one tme step. Sets of natural numbers and formal decson problems can be compared by ther complexty: how dffcult t s for algorthms to compute respectvely solve them. To whch complexty class(es) a problem belongs, depends on the runnng tme or memory space t takes an optmal algorthm to solve the problem and whether t uses randomness. The two best known complexty classes are the followng: P s the class of problems that can be solved n polynomal tme or equvalently wth a polynomally-szed crcut. NP s the class of problems for whch a wtness that shows the postve answer, can be verfed n polynomal tme. For example, the problem whether a model exsts satsfyng a formula φ s n NP because we can verfy n polynomal tme whether a gven model satsfes φ. It has not been proved, but t s generally beleved and an underlyng assumpton for a lot of theorems (especally n cryptography) that P NP. 4

8 3 Cryptography Ths chapter provdes the background n cryptography that s needed to understand Chapters 5 and 6. The frst secton ntroduces the research feld. In Secton 3.2 we formally defne encrypton schemes and message authentcaton codes and the tradtonal securty notons for these two concepts. Secton 3.3 s about the more abstract noton of pseudorandomness, that has a lot of applcatons n dfferent cryptographc constructons. 3.1 Introducton Cryptography lterally means secret wrtng and has already been used n wars and dplomatc affars from the tme of Julus Caesar. There are two man goals n cryptography: secrecy: an adversary who ntercepts an encrypted message should not be able to gan any nformaton about the content of the message from t. authentcaton: t should be certan for the recever by whom the message s sent and that the receved message s exactly the one that s sent. Assumng that the partes (often called Alce and Bob) communcate by sendng data over a publc channel, the only way to acheve the frst goal perfectly, s to send an encrypted verson of the message (called cphertext) that s statstcally ndependent from the orgnal message, but whch can be decrypted usng a secret key. Ths key s arranged n advance between the sender and the recever. Statstcally ndependent means that for all m and c the probablty that the orgnal message s m s equal to the probablty that the message s m, gven the cpher text s c. 5

9 Ths defnton s called nformaton-theoretc securty and s only possble f the secret key s of the same sze as the message and used only once, as was shown by Shannon [Sha49]. For example, f the length of the key s smaller than the length of the messages, t s possble to carry out a brute-force attack. The decrypton algorthm s run repeatedly on the cphertext wth each possble key. Because there are less possble keys than possble messages, the outcomes of ths experment are not dstrbuted over all messages and yeld some nformaton about the orgnal message. An nformaton-theoretcally secure scheme can be used n practce, but t can be dffcult to secretly arrange a key each tme, so t s not useful for all purposes. In practce however, an adversary cannot always utlze the nformaton hdden n an nsecure cphertext because t may take too much tme to run the needed computatons. Cryptographers make some assumptons about the adversares who potentally ntercept communcaton. By Kerckhoffs prncple, the adversary s assumed to know the fact that the sender wants to send the recever some text and also what knd of encrypton they use. The key s the only thng that s not known by the adversary. As soon as a key s used multple tmes, we can model the power of the adversary n several dfferent ways. In any case an eavesdropper may use all prevous cphertexts n ts computaton. Hstorcal examples show that we may want to assume that the adversary can trck the sender nto encryptng a message (or part of a message) of her choce. We call ths chosen-plantext attacks (CPA). We can go even further and assume that the adversary can trck the honest partes n encryptng and decryptng texts of her choce: chosen-cphertext attacks (CCA). Thus, what we call a (computatonally-) secure encrypton scheme depends on the knd of attack we want to be secure aganst, but also on the computatonal power of the adversary n our model and the tme we want to keep our message secret. For some applcatons t s not a problem f the adversary knows the message after ten years. To be more general and be able to compare dfferent schemes, t s convenent to use an asymptotc approach as n complexty theory. The runnng tme of an algorthm s treated as functon of the nput length and we are nterested n the asymptotc behavour of ths functon, n partcular whether t grows exponentally. All computatons n the model should run n polynomal tme. Each computaton gets as addtonal nput a strng of ones whose length s called the securty parameter n. Often t s the same as the length of the nput, but t allows algorthms that not necessarly have any nput at 6

10 all to run for some reasonable tme. The runnng tme of the functons that are part of the scheme s then bounded by some fxed polynomal n ths securty parameter. We only consder adversares that run n polynomal tme n ther nput, whch s the cphertext, as adversares wnnng the game n super-polynomal tme are not consdered a threat. CPA or CCA secure encrypton schemes must be randomzed (apart from the randomness used for generatng the key). If a message would every tme be encrypted as the same cphertext, t s easy to detect when a message s sent twce, whch gves a lot of nformaton n some cases. A random strng, denoted by r, can be used to choose one of a set of encryptons of the message. There are two dfferent types of encrypton: prvate-key (or symmetrc) encrypton and publc-key (or asymmetrc) encrypton. Prvate-key encrypton s qute ntutve: two partes that want to communcate share a secret key n advance, for example when they meet physcally. Publc-key encrypton works as follows: the recever publcly announces an encrypton key whch works n combnaton wth a secret decrypton key (known only to the recever). Ths s a very useful and non-trval concept, but not the man subject of ths thess. The second goal of cryptography s authentcaton. We want to detect when a message we receve (from a trusted person) s tampered wth or sent by an adversary. Roughly speakng, Message Authentcaton Codes (MAC) are the dgtal equvalence of handwrtten sgnatures. However, the word dgtal sgnature s reserved for the publc-key verson, because that concept s even more comparable to handwrtten sgnatures whch can be verfed by everyone. 3.2 Mathematcal Securty Where hstorcal cphers were just developed n a smart way whch was hopefully not thought of by the adversary, modern cryptography deals wth commonly known schemes where only the key s secret accordng to Kerckhoffs prncple. A scheme s called secure f we can prove mathematcally that whatever strategy an adversary has, she cannot fnd out anythng about the message usng the nformaton she has access to. 7

11 3.2.1 Encrypton Before we can defne formally the securty of encrypton schemes, we need to defne the scheme tself. Defnton 3.1 A prvate-key encrypton scheme s a tuple (Gen, Enc, Dec) where: Gen s the key-generaton algorthm havng as nput the securty parameter 1 n (the bt strng consstng of n consecutve ones) on whch t outputs a key k. Often ths s just a sample from the unform dstrbuton on the set of all strngs of a certan sze. Enc s the encrypton functon whch, on nput k and a message m {0, 1}, outputs a cphertext c. Dec s the decrypton algorthm whch takes as nput k and c and outputs m. The encrypton scheme s correct f Dec s determnstc and Dec(Enc(m)) = m for all messages m. We defne nformaton-theoretc (or perfect) securty to llustrate what relaxatons are made n the defnton of computatonal securty, compared to the semantc defnton of securty we want to acheve. We start wth the most ntutve defnton sayng that an adversary can not learn anythng from the cphertext that was not already known. Defnton 3.2 An encrypton scheme (Gen, Enc, Dec) s perfectly secret f for every probablty dstrbuton over the message space, and every possble cphertext we have: m, c : Pr[M = m C = c] = Pr[M = m] where varable M s the message sent hdden n the cphertext varable C, m a partcular message and c a partcular cphertext. An equvalent way to defne secrecy s to set up a game between a challenger playng the honest partes and the adversary, whch s won by the adversary f she learns more from the cphertext than s allowed. 8

12 Defnton 3.3 An encrypton scheme (Gen, Enc, Dec) s perfectly secret f all adversares wn the followng game wth probablty 1 2. Eavesdroppng game: 1. The adversary A outputs a par of messages m 0, m 1 {0, 1}. 2. A random key s generated by runnng Gen and a random bt b s chosen by the challenger. c = Enc k (m b ) s sent to A. 3. A outputs a bt b and wns f b = b. It s easy to see that ths noton s equvalent to the frst defnton. We wll not work out the proof here and refer to [KL07]. Ths game s referred to as P rvka,π eav and s defned to be 1 f A wns and 0 otherwse. We can alternatvely wrte the adversary s fnal output n ths game as output of the algorthm A on nput Enc k (m b ). The encrypton scheme s perfectly secret f: Pr[A(Enc k (m b )) = b] = 1 2 Pr[A(Enc k (m b )) = 0] Pr[A(Enc k (m b )) = 1] = 0 The probablty s taken over all randomness used by the challenger, n the encrypton scheme or by the adversary. Because perfect secrecy may be too strong to be manageable and not needed for most applcatons, we defne several notons of a second, more relaxed type of securty. We make the reasonable assumpton that all agents are computatonally bounded and we do not requre securty to last nfntely long. Hereby we arrve n the feld of computatonal-complexty theory. The semantc securty defnton wth ntutve meanng n the real world, s followed by an equvalent defnton n terms of ndstngushablty. The semantc defnton of computatonal securty we state s a slghtly smplfed verson of the more general defnton n the book by Katz and Lndell [KL07]. Followng these deas, stronger defntons can be made to cover adversares that are more powerful than just eavesdroppers. Defnton 3.4 A prvate-key encrypton scheme Π = (Gen, Enc, Dec) s semantcally secure n the presence of an eavesdropper f for any randomzed polynomal-tme adversary A there exsts a randomzed polynomal-tme algorthm A such that for all effcently-sampleable dstrbutons D and all 9

13 polynomal-tme computable functons f, there exsts a neglgble functon negl such that Pr[A(1 n, Enc(m)) = f(m)] Pr[A (1 n ) = f(m)] negl(n) where m s chosen accordng to D and the probabltes are taken over the randomness used n the encrypton scheme, by the challenger and by the adversary. The ntuton behnd ths defnton s that an encrypton s secure f no adversary can n practce (.e. wth polynomally bounded computaton power) compute any partal nformaton about the message (f(m)) usng the eavesdropped encrypton of the message, except wth neglgble probablty. Because ths defnton s not very practcal to work wth, we use the followng equvalent defnton from whch we defne stronger securty notons as well. For the proof of the stated equvalence we refer to the textbook by Oded Goldrech [Gol04]. Defnton 3.5 A prvate-key encrypton scheme Π = (Gen, Enc, Dec) s secure n the presence of an eavesdropper f for any randomzed polynomal-tme adversary A there exsts a neglgble functon negl such that Pr[P rvk eav A,Π(n) = 1] negl(n) where the random varable P rvka,π eav (n) s defned as the followng game: 1. A gets nput 1 n and outputs a par of messages (m 0, m 1 ) of the same length. 2. Gen(1 n ) generates a key k and a random bt b s chosen by the challenger. Enc k (m b ) = c s gven to A. 3. If A outputs the bt b she succeeds and the output of the game s 1, the output s 0 otherwse. Agan, the probablty s over all randomness. Real-lfe breaks (.e. successful attacks) and new nsghts have led to refnements of the assumptons regardng the adversary. It s easy to adapt the game n the securty defnton n terms of ndstngushablty by changng the abltes of the adversary and the nformaton sources she has access to. We keep the semantc securty defnton n mnd. 10

14 Defnton 3.6 A prvate key encrypton scheme Π = (Gen, Enc, Dec) has ndstngushable encryptons under a chosen-plantext attack (or s CPAsecure) f for any randomzed polynomal-tme adversary A there exsts a neglgble functon negl such that Pr[P rvk cpa A,Π (n) = 1] negl(n) where the random varable P rvk cpa A,Π (n) s defned as the followng: 1. Gen(1 n ) generates a key k 2. A gets nput 1 n, has oracle access to Enc k and outputs a par of messages (m 0, m 1 ) of the same length. 3. A random bt b s chosen. Enc k (m b ) = c s gven to A. 4. If A, whch stll has oracle access to Enc k, outputs the bt b then t succeeds and the output of the game s 1, otherwse the output s 0. The output of A n ths game can also be wrtten as A Enc k (Enck (m b )) and the success probablty s Pr[A Enc k (Enck (m b )) = b] where the probablty s taken over the possble keys and the randomness of Enc, b and A. The superscrpt Enc k means that the algorthm A has oracle access to Enc k. For chosen-cphertext securty we defne the same game wth the only addton that the adversary has oracle access to the decrypton functon. The adversary s not allowed to query the decrypton oracle on the challenge cphertext c snce ths would trvally result n a break. Defnton 3.7 CCA ndstngushablty game P rvk cca A,Π (n): 1. Gen(1 n ) generates a key k. 2. A gets nput 1 n, has oracle access to Enc k and Dec k and outputs a par of messages (m 0, m 1 ) of the same length. 3. A random bt b s chosen. Enc k (m b ) = c s gven to A. 4. A stll has access to the oracles but s not allowed to query the decrypton oracle on c. If A outputs the bt b then she succeeds and the output of the game s 1, otherwse the output s 0. 11

15 3.2.2 Authentcaton We want to have formal securty defntons for authentcaton as well. We start wth the defnton of a MAC. Defnton 3.8 A Messsage Authentcaton Code (MAC) s a trple of randomzed polynomal-tme algorthms (Gen, Mac, Vrfy): Gen outputs a key k on nput 1 n, k n (the securty parameter). Mac takes nput m {0, 1} and k and outputs a tag t. Vrfy checks valdty of the tag: on nput m, k and t t outputs 0 or 1. The authentcaton scheme s correct f ndeed Mac k (m) = t (for some randomness r) when Vrfy k (m, t) = 1 and Mac k (m) t (for all r) when Vrfy k (m, t) = 0. The defnton of secure MACs needs to formalze the requrement that a message from a trusted sender cannot be changed by an adversary wthout beng notced by the recever. Ths requrement mmedately covers nfeasblty of sendng a message as f t s sent by ths partcular trusted party. For MACs there s only one defnton used n general (and varatons of t), whch s securty aganst the adaptve chosen-message attack. Defnton 3.9 A MAC s exstentally unforgeable under adaptve chosenmessage attacks f for any adversary the probablty that the adversary wns the followng game s neglgble. MAC-forge game: 1. Gen(1 n ) generates a random key. 2. A s gven nput 1 n and oracle access to Mac k. A wns f she outputs a par (m, t) for whch t holds that m was not quered and Vrfy k (m, t) = 1. We can equvalently say that the adversary wns f she outputs k + 1 dstnct vald message-tag pars where k s the number of queres made. We wll use ths formulaton to defne quantum securty n Chapter 5. Note that t s possble for an adversary to send a vald message-tag par of a MAC that s secure, accordng to ths defnton, by resendng a 12

16 par that was sent by a trusted sender. A MAC can be protected aganst these replay attacks by requrng a sequence number or a tme-stamp as part of each message, but we wll not dscuss ths further. Roughly the same securty defnton works for publc-key authentcaton: sgnature schemes. The dfference n the game s that everyone, ncludng the adversary, can check the valdty of a sgnature usng the publc key. 3.3 Pseudorandomness A cryptographc scheme s secure aganst a certan class of adversares f cphertexts look random to all adversares. Ths s exactly what pseudorandomness acheves: makng much pseudorandom output from lttle random nput. Apart from that, pseudorandomness can be used as alternatve for real randomness. One of the applcatons, and one we study n ths thess, s the almost trval constructon of MACs from pseudorandom functons (PRF). PRF s can be made from pseudorandom generators, whch n ther turn can be buld usng one-way functons. Defnton 3.10 A pseudorandom functon s an effcent length-preservng keyed functon f : {0, 1} {0, 1} {0, 1} such that for all randomzed polynomal-tme algorthms D, there exsts a neglgble functon negl such that: Pr[D f k (1 n ) = 1] Pr[D g (1 n ) = 1] negl(n) where k and the functon g are chosen unformly at random. Defnton 3.11 A pseudorandom generator s an effcent determnstc algorthm G whch, on nput s {0, 1} n, outputs a strng of length l(n) such that: The expanson factor l(n) s a polynomal n n wth n l(n) > n. No randomzed polynomal-tme algorthm D can dstngush G(s) from a unformly random strng of the same length: Pr[D(r) = 1] Pr[D(G(s)) = 1] negl(n) where s and r are unformly random strngs of respectve szes n and l(n), and negl s some neglgble functon (that may depend on D). 13

17 Defnton 3.12 A one-way functon s a functon f : {0, 1} whch s easy to compute and hard to nvert: {0, 1} There exsts a polynomal-tme algorthm M f such that x M f (x) = f(x). Any randomzed polynomal-tme A wns the followng nvertng (or collson fndng) game only wth neglgble probablty: A s gven 1 n and f(x) of a random x {0, 1} n and outputs x. A wns f f(x ) = f(x) 14

18 4 Quantum Computng Ths chapter provdes some background on quantum computng. Secton 4.1 s an ntroducton to quantum computers. Secton 4.2 s about the formal defnton and the commonly used notaton to wrte down computatons concsely. Secton 4.3 descrbes the famous EPR-par [EPR35] llustratng the phenomenon entanglement. In Secton 4.4 we ntroduce the query model n whch a functon s modelled as black box or oracle nstead of a subroutne of an algorthm. The algorthm may query a quantum oracle on any superposton of nputs. We prove the equvalence of two dfferent mplementatons of oracle queres to any (non-boolean) functon. Ths shows that the mplementaton we work wth n Chapter 6 s equvalent to the mplementaton Boneh and Zhandry use [BZ13a]. 4.1 Introducton To descrbe small partcles one should use the theory of quantum mechancs. Although modern elements of computer chps are too small to behave classcally, the unwanted quantum mechancal behavour s corrected because we want computers to work lke we expect and accordng to whch classcal software s desgned. Theoretcally, t s also possble to explot the quantum effects and buld a computer based on these phenomena nstead of classcal logc. In practce t s shown to be possble to buld a quantum computer consstng of very few quantum bts (the analogue of a classcal bt) and researchers are workng on other methods that are hopefully more scalable. It s not clear whether t s possble at all or when a quantum computer wll be bult wth computng power comparable to state-of-art classcal computers, but when the tme comes, we can no longer expect our adversares to use classcal computers only. 15

19 The theoretcal aspects of quantum computaton have been studed snce the 1980s, and dscoveres have been made that are of great mportance for cryptography. The bad news s that, usng Shor s surprsngly effcent quantum algorthm for factorzaton, t s easy to break the wdely used RSA publc-key encrypton schemes. The good news s there exst nformatontheoretcally secure encryptons schemes that make use of quantum computaton and communcaton to dstrbute keys. However, when quantum computers frst become usable, they wll be scarce and expensve and honest partes who want to communcate securely wll n general not have access to a quantum computer, whle crmnal organzatons may have. In ths stuaton t s mportant to use classcal cryptographc schemes proven to be secure aganst quantum attacks. The research feld that nvestgates the vulnerablty of exstng or new classcal schemes to quantum power, s called Post-Quantum Cryptography. A lot of (symmetrc) schemes that are proven to be classcally secure are expected to be quantum secure as well, maybe under some addtonal condtons, but new proofs and/or proof technques are requred. Three mportant phenomena n quantum mechancs are superposton, nterference and the collapse after measurements. Superposton means a system can be n more than one state at a tme, each wth some ampltude (a complex coeffcent). Due to nterference, postve and negatve ampltudes can cancel each other out. In quantum computng a qubt can be both 0 and 1 at the same tme, but after a measurement the qubt collapses nto a classcal bass state. The probablty that the qubt s measured as 0 s the squared modulus of the ampltude of ths state. The squared modul of all ampltudes must sum up to one. A system or regster of n qubts can be n 2 n states at the same tme and algorthms on ths regster may compute a functon on 2 n dfferent nputs smultaneously. However, t s not possble to see the outcomes of all these parallel computatons because the regster wll collapse to a sngle bass state after measurement. Only f nterference can be used n a smart way, can the measurement tell us somethng about multple nputs. There are only a few specfc problems for whch there exsts a quantum algorthm solvng t, whch s much (exponentally) faster than any known classcal algorthm that solves the problem. In the feld of quantum computng, people often make use of the crcut model of algorthms, whch s, lke the classcal model, equvalent to the model of (quantum) Turng machnes. 16

20 4.2 Techncal Framework ( ) α The state of a qubt can be wrtten as two-dmensonal vector n a ( ) β 1 Hlbert space, where α s the ampltude of bass vector and β the ( ) 0 0 ampltude of. α and β are complex numbers and ther squared absolute values sum up to 1. We use the more concse Drac-notaton, whch s 1 conventonal n both quantum( mechancs ) and quantum computng. In ths α notaton, a column vector φ = s wrtten as ket φ = α 0 + β 1 and β a row vector ψ as bra ψ. The product bra ket ψ φ s the nner product of the two vectors, whch corresponds wth the wdely used notaton for nner product. Every operaton that can be appled on a quantum state preserves the followng property of a quantum state: the sum of the squared ampltudes s 1. In terms of lnear algebra, ths means that operatons or crcut gates on a quantum state can be wrtten as untary matrces left-multpled wth the state. The tensor product s used to combne multple qubts or regsters of qubts n one bg quantum system. The set of possble classcal states of a combned system s the Cartesan product of the state sets of each part. The combned state of two qubts φ and ψ s wrtten as φ ψ and sometmes abbrevated to φ ψ, φ, ψ or φψ. The bt strng that arses n ths way, n case of bass states, can be wrtten as number between 0 and 2 n 1 where n s the length of the bt strng. Two parallel untary transformatons on two regsters s equal to the tensor product of the operatons appled on the tensor product of the regsters. When we measure a regster of n qubts n the state φ = 2 n 1 j=0 α j j, the probablty of seeng the classcal state j s α j 2. We say that the quantum state has collapsed to the classcal state j after the measurement. All other nformaton the quantum state held s lost. Ths standard mplementaton s called measurement n the computatonal bass but there are more possbltes. In general, measurements n any orthonormal bass can be descrbed as a projectve measurement. For more nformaton about ths see for example 17

21 the frst chapter of Ronald de Wolf s PhD thess [dw01] or the textbook by Nelsen and Chuang [NC00]. The crcut model for classcal computaton uses logcal gates as NOT, AND, OR, XOR. There are dfferent mnmal sets of gates whch generate all other gates. The same s true for quantum computng f we allow a neglgble error probablty. The followng quantum gates are commonly used: X = ( ) Z = ( Btflp gate X s the quantum equvalent of NOT and Z s a phaseflp gate. The Hadamard gate changes a classcal state n a very quantum state: t sends both 0 and 1 to a unform superposton over the two states. The phase flp on the ampltude of 1 makes the dfference. H = 1 2 ( CNOT = ) The controlled-not gate negates the second bt f the frst bt s 1 and does nothng otherwse. ) 4.3 Entanglement An mportant phenomenon that llustrates the counter-ntutve character of quantum mechancs s entanglement. Possbly separated partcles can be related such that they seem to communcate nstantly over any dstance. However, ths s mpossble because no matter or nformaton can travel faster than lght. Somethng s gong on that looks lke communcaton but t s somethng else. The followng crcut creates two qubts beng fully entangled : an EPRpar (named after a famous paper by Ensten, Podolsky and Rosen [EPR35]). 18

22 q 0 H q 1 We calculate the state after ths crcut, appled on 00. The Hadamard gate on the frst bt transforms t to 1 2 ( ). Now the CNOT gate flps the second bt to 1 f the frst bt s 1. Ths means that ether both bts are 1 or both bts are 0. The state we have s 1 2 ( ). Suppose that Alce holds the frst qubt and the second qubt s gven to Bob who takes t to a place far away from Alce. If Alce now measures her qubt and sees (say) 1, then Bob s qubt collapses at the same moment: f Bob measures hs qubt, he wll see 1 as well. Ths could not have happened as a causal relaton, snce t happened faster than anythng sent by Alce could reach Bob. Ths contradcts to relatvty theory unless (at least) one of the followng two assumptons (whch we tend to make ntutvely) s dropped. realsm: the physcal propertes that objects have are ndependent of observaton. localty: measurements can not nfluence the outcome of other measurements from a dstance. Although Alce and Bob can share entanglement, they cannot send each other nformaton faster than lght. When Alce measures her qubt, she cannot choose to whch state her or Bob s qubt wll collapse. Nether can Bob. 4.4 Query Model Instead of tme complexty, quantum algorthms are often analysed n terms of query complexty. If we know how many queres an algorthm needs to make to some functon or random-access memory, we have a lower bound on the computng tme as well. Each query costs one tme step. The query model s used n cryptography as well. In the securty defntons we assumed adversares to have oracle access to the encrypton, decrypton or MAC-functon. A lower bound on the number of queres an adversary 19

23 needs to break a scheme mmedately mples a lower bound on the tme the break takes, so query complexty s useful n ths feld too. The dfference between the two felds s that cryptographers treat oracles as functons: the query s an element of the doman of the functon and the answer s an element of the range, whereas n quantum computng oracles are usually memory of whch the algorthm queres a bt by ts ndex. It s not a bg dfference snce a bt strng s just a Boolean functon, and any functon can be represented as strng. However, we have to be careful wth the detals. The man theorem n Chapter 6 s about a cryptographc non-boolean oracle, whch s the reason why we have to prove a standard technque used n quantum computng for ths general case (Proposton 6.2). A quantum algorthm may query the oracle on a superposton of nputs. There are dfferent possbltes to mplement an oracle answerng a superposton query. We descrbe two commonly used mplementatons and prove ther equvalence. Proposton 4.1 Let f : X Y be the functon to whch an algorthm has oracle access, X = n, Y = m. The followng two transformatons on a regster of qubts are equvalent formalzatons of a sngle superposton query. The regster conssts of three parts. The frst part x s used for the query, b for the answer and w s workspace. addton query O f : x, b, w x, b + f(x), w where + s the operaton of the group n whch b and f(x) lve, n ths case addton modulo m. phase query Of : x, b, w ωb f(x) m x, b, w and ω m s the mth complex root of unty e 2π m. Proof We prove equvalence by gvng two crcuts that mplement one formalzaton usng the other. These crcuts show that we get one type of queres by vewng the operaton of the other type n a dfferent bass, snce the only thng we do s change to the Fourer bass to make the query and then change back to the computatonal bass. We start wth the mplementaton of a phase query usng an addton query. Crcut: The nverse Fourer transform s appled on frst regster b. 20

24 The transformaton of the addton query s appled on the total state. The Fourer transform s appled on the frst regster. By F m we denote the m th Fourer transform whch s an m-by-m matrx wth 1 entres m ωm jk where j s the row and k the column of the entry. The nverse of the Fourer transform Fm 1 1 s defned smlarly: each entry s m ωm jk. From here on, we often omt the m f t s clear whch root s meant. At the start of the crcut, the regsters of the algorthm are n the followng state: α xbw x, b, w x,b,w After the applcaton of the nverse Fourer transform on b each bass state 1 x, b, w becomes m ωm bj x, j, w, so the total state s: x,b,w j=0 1 α xbw ω bj m m x, j, w j=0 On ths state the transformaton of the addton query s appled whch results n the followng state: 1 α xbw ω bj m m x, j + f(x), w x,b,w j=0 21

25 Then after the Fourer transform we get: = 1 m x,b,w α xbw 1 α xbw m x,b,w = 1 m = 1 m = 1 m k=0 k b j=0 x,b,w x,b,w x,b,w j=0 ω bj m α xbw j=0 α xbw j=0 α xbw k=0 1 ω k(j+f(x)) m m x, k, w k=0 k=0 j=0 k=0 ωm bj ωm k(j+f(x)) x, k, w ω j(k b)+k f(x) m x, k, w ω j(k b)+k f(x) m x, k, w ωm j(k b)+k f(x) x, k, w + j=0 m x, b, w ω j(b b)+b f(x) We splt the sum over k nto a sngle term k = b and the sum over all other terms. The reason for ths s that all terms k b have the form j=0 ωm j(k b)+k f(x) x, k, w = j=0 ω jc+k f(x) m x, k, w for some non-negatve constant c. By Proposton 4.2 (below), each of these sums over j equals 0. So we are only left wth the term k = b whch s exactly our defnton of the phase query: j=0 ωm j(b b)+b f(x) x, b, w = j=0 ω b f(x) m x, b, w The second part of the proof s to show that we can mplement the addton query usng a phase query. The crcut s very smlar to the prevous one, namely the Fourer transform and ts nverse have swapped places: the Fourer transform s appled before the query and the nverse Fourer transform after the query. We start agan wth some arbtrary state: α xbw x, b, w x,b,w 22

26 The Fourer transform s appled to the b-regster of ths state whch turns t nto: 1 α xbw ω bj m m x, j, w x,b,w Then a query s made mplemented as phase change, resultng n: j=0 1 α xbw ω bj ω j f(x) x, j, w m x,b,w j=0 And after the nverse Fourer transform we have the state: = 1 m x,b,w = 1 m α xbw 1 α xbw ω bj ω j f(x) 1 ω jk x, k, w m m x,b,w x,b,w k 0 k=b+f(x) α xbw k=0 j=0 j=0 j=0 Usng Proposton 4.2 we get: 1 α xbw m x,b,w k=0 ω bj ω j f(x) ω jk x, k, w ω j(b+f(x) k) x, k, w + k 0 k=b+f(x) 0 + j=0 = 1 α xbw m x, b + f(x), w m x,b,w = x,b,w α xbw x, b + f(x), w j=0 ω 0 x, b + f(x), w ω j 0 x, b + f(x), w 23

27 Proposton 4.2 Let ω m = e 2π m for m N and let c be a non-zero nteger that s not a multple of m (m c). Then j=0 ω jc m = 0 Proof It follows drectly from well known formula for the sum of a geometrc seres, but t gves more nsght to see the proof. For c = 1 one can easly see that the expectaton ranges over exactly all dstnct powers of omega on the unt crcle n the complex plane. Vewng these ponts, t s ntutvely clear that they sum op to 0 because they are evenly dstrbuted on the crcle. We can show ths algebracally for arbtrary c by showng that the set of ponts and thus ther sum stays the same f we rotate everythng by an angle of 2πc m. e 2πc m j=0 e 2πc m j = = = j=0 j=0 m k=1 e 2πc m j e 2πc m e 2πc m (j+1) e 2πc m k = e 2πc m k + e 2πc m m k=1 = e 2πc m k + 1 k=1 = e 2πc m k + e 2πc m 0 = k=1 e 2πc m k k=0 If a multplcaton (of elements n a feld) does not change an object, then ether the object s multpled by (the dentty) one, or the object s zero. Because e 2πc m 1 f c s not a multple of m, t follows that the sum must be 0. 24

28 5 Quantum Securty Models In ths chapter we dscuss dfferent ways to model a quantum attacker. In any case a quantum adversary can use a quantum computer to run quantum algorthms. We know that for some publc-key schemes, the key can be learned usng a quantum algorthm. When RSA s used for example, the adversary can compute the prme numbers (secret key) from ther product (publc key). Of course quantum adversares have access to the same sources of nformaton or oracles as ther classcal counterparts. When we are reasonng about communcaton and oracle queres n stuatons n whch there are classcal computers as well as quantum computers, the communcaton can be quantum or classcal. The choces we make for our securty models depend on how adversares n realty gan certan nformaton. For example, n the random oracle model, the random oracle would n realty be replaced by some hash functon whch can be computed by the adversary tself. Because we can never be sure how an adversary mplements the hash functon, we assume n our model that the adversary can compute t n superposton. Analogously, the random oracle may be quered n superposton by the adversary. Boneh et al. [BDF + 11] show that securty n ths quantum random-oracle model s harder to prove for schemes n general. They even construct a scheme that s secure f the random-oracle s quered only classcally, but nsecure f t s quered n superposton. Other oracles that occur n securty defntons are the pseudorandom and unformly-random functons n dstngushng games, encrypton and decrypton oracles, and sgnng oracles. In the lne of random-oracle proofs, t s nterestng to look at pseudorandom functons snce they can be used to smulate a random oracle. In general, quantum secure pseudorandom functons can be used for several thngs f one wants to have a conservatve model wth mnmzed lmtatons on the adversary s abltes. Zhandry [Zha12] shows that quantum-secure pseudorandom functons are needed to smulate 25

29 quantum-accessble random oracles f the number of queres s not bounded n advance. Here quantum-accessble random oracle means that the adversary can query the oracle on a superposton of states. Ths can be mplemented n several ways as explaned n Chapter 4. Equvalently, a PRF s quantum secure f t cannot be dstngushed from a unformly random functon by an adversary makng quantum queres to the oracle. Gong further n gvng adversares superposton oracle access becomes more dffcult when we consder encrypton and authentcaton, because the securty games are not trval to translate. Whle havng only the oracle to consder and no other nput (except for the securty parameter) n case of pseudorandom functons, t s gettng more complex when we model encrypton games n whch adversares have communcaton back-and-forth. Whch nputs does the adversary get n superposton? 5.1 Encrypton Recall the securty game of a chosen-plantext attack on an encrypton scheme. (Defnton 3.6) 1. Gen(1 n ) generates a key k. 2. A gets nput 1 n, has oracle access to Enc k and outputs a par of messages (m 0, m 1 ) of the same length. 3. A random bt b s chosen. Enc(m b ) = c s gven to A. 4. If A, whch stll has oracle access to Enc, outputs the bt b then t succeeds and the output of the game s 1, otherwse the output s 0. To turn ths nto a superposton-chosen-plantext attack, the frst opton s to make the oracle access to Enc k quantum. That s, the adversary can query the oracle on a superposton of nputs, gettng back a superposton of answers. To see how useful ths defnton s, we look at the real-lfe scenaro ths defnton ams to model. Usually, n the feld of post-quantum cryptography, t s assumed that the adversary has a quantum computer and the honest partes have only a classcal machne. If both the sender and the recever had quantum computers, they would be able to use quantum cryptography. However, t s possble that Alce, havng a quantum computer, chooses to 26

30 use a classcal scheme to communcate to several others (maybe wthout a quantum computer) and has found an mplementaton of the scheme for her quantum computer. If the adversary fnds a way to get the fnal superposton of ths quantum encrypton algorthm just before Alce measures t to send t classcally, then the scenaro fts wth the adversary gettng superposton answers. To be conservatve, we assume that the adversary can choose any superposton to query n ths way (however unrealstc ths may sound). Assumng that the adversary can obtan the fnal superposton of the encrypted queres, we cannot always exclude that the adversary can do the same for all messages that are sent by Alce. We want to have the choce to make ths assumpton or not. Allowng Alce to see all superpostons of cphertexts means that the challenge cphertext c b would also be n some superposton. Boneh and Zhandry [BZ13b] formalze ths (as a frst try) n the followng way, wthout much dscusson about why ths s a reasonable opton. Defnton 5.1 [BZ13b, Defnton 4.1] A prvate-key encrypton scheme Π = (Gen, Enc, Dec) s ndstngushable under a fully quantum chosenplantext attack (IND-fqCPA secure) f no effcent adversary A can wn the followng game, except wth probablty at most 1 + negl: 2 1. A key k s generated usng Gen and a random bt b s chosen. 2. A s allowed to make chosen-message queres on superpostons of message pars. For each such query, the challenger chooses randomness r, and encrypts the approprate message n each par usng r as randomness: ψ m0,m 1,c m 0, m 1, c ψ m0,m 1,c m 0, m 1, c Enc k (m b ; r) m 0,m 1,c m 0,m 1,c 3. A produces a bt and wns the game f the bt s equal to b. Because every oracle answer contans nformaton about b, ths adversary s very powerful. Boneh and Zhandry prove that there cannot exst a scheme that satsfes ths defnton, because the message query s entangled wth the answer. They try to solve ths problem by changng the mplementaton of the queres: both messages wll be encrypted, but dependng on b the order s flpped n the answer. Unfortunately, ths defnton does not solve the problem: they prove that ths defnton s at least as strong as the frst one. 27

31 They proceed wth the same game we mentoned above. In ths game 5.2, the challenge cphertext s one of Enc(m 0 ) and Enc(m 1 ) where the classc par (m 0, m 1 ) s chosen by the adversary. Defnton 5.2 [BZ13b, Defnton 4.5] A prvate-key encrypton scheme Π = (Gen, Enc, Dec) s ndstngushable under a quantum chosen-plantext attack (IND-qCPA secure) f no effcent adversary A can wn the followng game, except wth probablty at most 1 + negl: 2 1. A key k s generated usng Gen, and a random bt b s chosen. 2. A s allowed to make: challenge queres: A sends a par (m 0, m 1 ) and gets back c = Enc(k, m b ). encrypton queres: For each such query, the challenger chooses randomness r, and encrypts each message usng r as randomness: ψ m,c m, c ψ m,c m, c Enc k (m; r) m,c m,c 3. A produces a bt and wns the game f the bt s equal to b. What s reasonable to allow the adversary n order to model the real world? To answer ths queston, we recall the deas that led to the tradtonal defnton. The adversary has access to the encrypton oracle to model the ablty of trckng an honest party nto sendng partcular messages. We want to assume, n ths new model, that ths trckng can be done n superposton. It can be the case that a copy of an encrypton devce s n hands of the adversary. Ths devce works as a black box, so t can be run on superpostons of messages wthout revealng the key. The message par (m 0, m 1 ) of the classcal dstngushng game s ntroduced to have two stuatons that the adversary can try to dstngush. Ths dstngushng ablty should be equvalent or close to the ablty of learnng some nformaton about the messages Alce genunely sends to Bob. To prove that whatever Alce wants to send, the adversary learns nothng (new) from the cphertext, we let the adversary choose the par (classcally) n the game. We have to keep n mnd that n realty there s no communcaton between the adversary and the sender; the communcaton wth the challenger exsts 28

32 n the model to ensure that the scheme s secure for any such par. To cover all scenaros, we do want to assume that the adversary can always get the sender s superposton just before t s to be measured and sent. Note that the sender loses the quantum state n ths case and the sendng process s aborted. We do not dscuss the queston why the sender wants to send a measured superposton of messages; we just want to be general. Even f the defnton s too strong for most uses, we want to have the choce to use t nstead of weaker ones. Above all t s nterestng to compare dfferent models. The semantc noton of securty we want to acheve s the followng: no adversary can learn anythng about the superposton of messages the sender started wth, from the superposton of cphertexts the sender was about to measure and send. Our goal s to state ths noton as dstngushng game. We propose to gve the adversary the task to dstngush between two superpostons of cphertext. As n the classcal case, we let the adversary choose the two superpostons because t has to be safe for any message the sender may send. The formalzaton we use (Defnton 5.3) s not, lke Boneh and Zhandry do, the same as the mplementaton of the queres, n whch the query tself s stll part of the state afterwards. In our model the adversary sends a par of superpostons over a quantum channel and receves one of the two superpostons of cphertexts, dependng on b. We requre that the par of superpostons s not entangled. Ths may seem questonable, but snce the par does not model any real state prepared by the adversary, t s reasonable to make ths requrement. Note that a specal case s the stuaton n whch the adversary chooses two classcal states. Because there s no entanglement between dfferent regsters of the adversary, we are (at least at frst sght) not facng the problem that occurs wth the mentoned opton Boneh and Zhandry proposed. It s easy to see that ths defnton s stronger than (what they call) IND-qCPA securty because the last one s a specal case. Whether t s feasble at all and f so, whether t s strctly stronger than IND-qCPA securty s an nterestng open queston. Defnton 5.3 A prvate-key encrypton scheme Π = (Gen, Enc, Dec) s ndstngushable under a superposton chosen-plantext attack (IND-sCPA secure) f no effcent adversary A can wn the followng game, except wth probablty at most negl: 1. A key k s generated usng Gen and a random bt b s chosen. 29