On the power of non-adaptive quantum chosen-ciphertext attacks

Similar documents
arxiv: v1 [quant-ph] 29 Aug 2018

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Semantic Security and Indistinguishability in the Quantum World

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

CTR mode of operation

Quantum-secure symmetric-key cryptography based on Hidden Shifts

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Lossy Trapdoor Functions and Their Applications

Block encryption of quantum messages

CPA-Security. Definition: A private-key encryption scheme

An intro to lattices and learning with errors

Post-quantum security models for authenticated encryption

Modern Cryptography Lecture 4

Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

El Gamal A DDH based encryption scheme. Table of contents

Cryptology. Scribe: Fabrice Mouhartem M2IF

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 5, CPA Secure Encryption from PRFs

Shai Halevi IBM August 2013

6.892 Computing on Encrypted Data September 16, Lecture 2

Classical hardness of the Learning with Errors problem

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

III. Pseudorandom functions & encryption

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

8 Security against Chosen Plaintext

Background: Lattices and the Learning-with-Errors problem

1 Public-key encryption

Public Key Cryptography

On Post-Quantum Cryptography

Block ciphers And modes of operation. Table of contents

Perfectly-Secret Encryption

Unforgeable Quantum Encryption

Lecture 13: Private Key Encryption

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

How to Encrypt with the LPN Problem

Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts

Chosen-Ciphertext Security (I)

Computational security & Private key encryption

1 Number Theory Basics

General Impossibility of Group Homomorphic Encryption in the Quantum World

Fully Homomorphic Encryption

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Lecture 5: Pseudorandom functions from pseudorandom generators

5199/IOC5063 Theory of Cryptology, 2014 Fall

Classical hardness of Learning with Errors

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Chapter 2 : Perfectly-Secret Encryption

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Notes on Property-Preserving Encryption

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

6.892 Computing on Encrypted Data October 28, Lecture 7

Scribe for Lecture #5

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

arxiv: v2 [cs.cr] 14 Feb 2018

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

10 Concrete candidates for public key crypto

Introduction to Cryptology. Lecture 3

Modern symmetric-key Encryption

Lecture 2: Perfect Secrecy and its Limitations

Notes for Lecture 17

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lattice Cryptography

1 Indistinguishability for multiple encryptions

UvA-DARE (Digital Academic Repository) Semantic security and indistinguishability in the quantum world Gagliardoni, T.; Hülsing, A.; Schaffner, C.

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Symmetric Encryption

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Lecture 9 - Symmetric Encryption

CS 6260 Applied Cryptography

A Posteriori Openable Public Key Encryption *

ECS 189A Final Cryptography Spring 2011

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Chapter 11 : Private-Key Encryption

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Non-malleability under Selective Opening Attacks: Implication and Separation

Lecture 7: CPA Security, MACs, OWFs

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture 16

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Provable security. Michel Abdalla

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

QUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS

arxiv: v1 [quant-ph] 30 Aug 2017

Applied cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

A survey on quantum-secure cryptographic systems

Advanced Topics in Cryptography

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Quantum-secure message authentication via blind-unforgeability

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Searchable encryption & Anonymous encryption

Two-Round PAKE from Approximate SPH and Instantiations from Lattices

The Cramer-Shoup Cryptosystem

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Transcription:

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute of Technology QCrypt 2018

Cryptography + Quantum Computation 1

Cryptography + Quantum Computation 1

Cryptography + Quantum Computation 1

Security in a quantum world

Security in a quantum world What makes a classical scheme Π = (KeyGen, Enc, Dec) quantum-secure? ciphertexts reveal no information about plaintexts (should look indistinguishable ) assumption that adversaries are quantum, i.e. run in quantum polynomial-time (QPT). Definition: (Indistinguishability - IND) Π has indistinguishable ciphertexts if QPT A: Pr[A wins IndGame] = 1/2 + negl(n) 2

Non-adaptive quantum chosen-ciphertext attacks (AJOP 18) What if A gets lunch-time access to encryption & decryption?( = chosen-ciphertext attack) Definition: (Non-adaptive quantum chosen-ciphertext security) Π is IND-QCCA1 secure if QPT A: Pr[A wins IndGame] = 1/2 + negl(n) 3

Non-adaptive quantum chosen-ciphertext attacks (AJOP 18) What if A gets lunch-time access to encryption & decryption?( = chosen-ciphertext attack) Definition: (Non-adaptive quantum chosen-ciphertext security) Π is IND-QCCA1 secure if QPT A: Pr[A wins IndGame] = 1/2 + negl(n) 3

A secure encryption scheme

Quantum random access codes (Ambainis et al. 08) 4

Quantum random access codes (Ambainis et al. 08) Lemma: (AJOP 18) Average bias on message length N = 2 n and poly(n)-sized quantum state is O(2 n/2 poly(n)). 4

A secure symmetric-key encryption scheme Theorem: (AJOP 18) The construction Π = (KeyGen, Enc, Dec) with QPRF {f k : {0, 1} n {0, 1} n } is IND-QCCA1: KeyGen: sample a key k $ {0, 1} n Enc k (m) = (r, f k (r) m), for r Dec k (r, c) = c f k (r) $ {0, 1} n quantum-secure pseudorandom function (QPRF) 5

A secure symmetric-key encryption scheme Theorem: (AJOP 18) The construction Π = (KeyGen, Enc, Dec) with QPRF {f k : {0, 1} n {0, 1} n } is IND-QCCA1: KeyGen: sample a key k $ {0, 1} n Enc k (m) = (r, f k (r) m), for r Dec k (r, c) = c f k (r) $ {0, 1} n quantum-secure pseudorandom function (QPRF) Proof idea. Fix a QPT adversary A. 1. Replace f k with a random function f (by the QPRF assumption) 2. QRAC reduction: Use A against IND-QCCA1 security to construct a code. By Lemma, the advantage is ɛ = O(2 n/2 poly(n)). 5

Learning with Errors

Learning with Errors (Regev 05) Learning with Errors (LWE) primary basis of hardness for post-quantum cryptography allows for PKE, FHE, QPRFs,... 6

Learning with Errors (Regev 05) Learning with Errors (LWE) primary basis of hardness for post-quantum cryptography allows for PKE, FHE, QPRFs,... Search problem: Recover a secret string s Z n q from a set of noisy linear equations modulo q. a1 $ Z n q; c 1 = a1, s + e 1 a2 $ Z n q; c 2 = a2, s + e 2. am $ Z n q; c m = am, s + e m, 6

Learning with Errors (Regev 05) Learning with Errors (LWE) primary basis of hardness for post-quantum cryptography allows for PKE, FHE, QPRFs,... Search problem: Recover a secret string s Z n q from a set of noisy linear equations modulo q. Symmetric-key encryption using LWE KeyGen: choose key s $ Z n q. Enc s (b) = (a, a, s + e + b q/2 ) Dec s (a, c) = 0, if c a, s q 4, else 1. a1 $ Z n q; c 1 = a1, s + e 1 a2 $ Z n q; c 2 = a2, s + e 2. am $ Z n q; c m = am, s + e m, 6

Learning with Errors (Regev 05) Learning with Errors (LWE) primary basis of hardness for post-quantum cryptography allows for PKE, FHE, QPRFs,... Search problem: Recover a secret string s Z n q from a set of noisy linear equations modulo q. Symmetric-key encryption using LWE KeyGen: choose key s $ Z n q. Enc s (b) = (a, a, s + e + b q/2 ) Dec s (a, c) = 0, if c a, s q 4, else 1. b = 0 b = 1 a1 $ Z n q; c 1 = a1, s + e 1 a2 $ Z n q; c 2 = a2, s + e 2. am $ Z n q; c m = am, s + e m, 0 q/2 6

Learning with Errors (Regev 05) Learning with Errors (LWE) primary basis of hardness for post-quantum cryptography allows for PKE, FHE, QPRFs,... Search problem: Recover a secret string s Z n q from a set of noisy linear equations modulo q. a1 $ Z n q; c 1 = a1, s + e 1 a2 $ Z n q; c 2 = a2, s + e 2. am $ Z n q; c m = am, s + e m, Symmetric-key encryption using LWE KeyGen: choose key s $ Z n q. Enc s (b) = (a, a, s + e + b q/2 ) Dec s (a, c) = 0, if c a, s q 4, else 1. This talk: new quantum attack on plain LWE encryption attack uses a single quantum decryption classical attack: Ω(n log q) quantum attack: O(1). 6

Quantum attack

Bernstein-Vazirani for linear rounding (AJOP 18) Linear rounding function with key s Z n q, Oracle: U LRFs : x b x b LRF s (x) { 0 if x, s q 4 LRF s (x) := 1 otherwise Algorithm: 1 q n x Z n q x 0 1 2 1 q n ( 1) LRFs(x) x x Z n q 1 q n y,x Z n q ( 1) LRFs(x) e 2πi q x,y y 7

Bernstein-Vazirani for linear rounding (AJOP 18) Linear rounding function with key s Z n q, Oracle: U LRFs : x b x b LRF s (x) { 0 if x, s q 4 LRF s (x) := Success probability: Pr[y = s] 4/π 2. 1 otherwise Algorithm: 1 q n x Z n q x 0 1 2 1 q n ( 1) LRFs(x) x x Z n q 1 q n y,x Z n q ( 1) LRFs(x) e 2πi q x,y y 7

Our results (AJOP 18) IND-QCCA2 (BZ 13) IND-QCCA1 (AJOP 18) IND-QCPA (BJ 15) Non-adative quantum chosen-ciphertext attacks: 1. Formal security definition (IND-QCCA1) half-way between existing security notions 2. A secure symmetric-key encryption scheme: QPRF construction uses quantum-secure pseudorandom functions proof technique: quantum random access codes 3. Quantum attack on Learning with Errors encryption Bernstein-Vazirani algorithm for linear rounding 8

Questions? 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback