Semantic Security and Indistinguishability in the Quantum World

Similar documents
UvA-DARE (Digital Academic Repository) Semantic security and indistinguishability in the quantum world Gagliardoni, T.; Hülsing, A.; Schaffner, C.

On the power of non-adaptive quantum chosen-ciphertext attacks

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Modern symmetric-key Encryption

Random Oracles in a Quantum World

III. Pseudorandom functions & encryption

General Impossibility of Group Homomorphic Encryption in the Quantum World

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Post-quantum security models for authenticated encryption

Lecture 9 - Symmetric Encryption

CTR mode of operation

Lecture 13: Private Key Encryption

arxiv: v1 [quant-ph] 29 Aug 2018

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

CPA-Security. Definition: A private-key encryption scheme

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lectures 2+3: Provable Security

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Identity-based encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

The Cramer-Shoup Cryptosystem

BEYOND POST QUANTUM CRYPTOGRAPHY

Cryptographical Security in the Quantum Random Oracle Model

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Advanced Topics in Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

8 Security against Chosen Plaintext

Computational security & Private key encryption

Modern Cryptography Lecture 4

Applied cryptography

On Post-Quantum Cryptography

Lecture 7: CPA Security, MACs, OWFs

Hierarchical identity-based encryption

Notes on Property-Preserving Encryption

1 Number Theory Basics

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Quantum-secure symmetric-key cryptography based on Hidden Shifts

A Strong Identity Based Key-Insulated Cryptosystem

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

A survey on quantum-secure cryptographic systems

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Searchable encryption & Anonymous encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Non-malleability under Selective Opening Attacks: Implication and Separation

Lecture 4: Computationally secure cryptography

Lecture 2: Perfect Secrecy and its Limitations

Public-Key Encryption

Unforgeable Quantum Encryption

An Introduction to Probabilistic Encryption

Lecture 5, CPA Secure Encryption from PRFs

1 Indistinguishability for multiple encryptions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Symmetric Encryption

Block ciphers And modes of operation. Table of contents

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Notes for Lecture 17

Chapter 2 : Perfectly-Secret Encryption

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

CS 395T. Probabilistic Polynomial-Time Calculus

Lecture 17: Constructions of Public-Key Encryption

Scribe for Lecture #5

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

5199/IOC5063 Theory of Cryptology, 2014 Fall

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XI

Cryptology. Scribe: Fabrice Mouhartem M2IF

Boneh-Franklin Identity Based Encryption Revisited

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Chosen-Ciphertext Security (I)

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Random Oracles in a Quantum World

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Cryptography CS 555. Topic 4: Computational Security

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Fully Homomorphic Encryption

Gentry IBE Paper Reading

Public Key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lossy Trapdoor Functions and Their Applications

Cryptography 2017 Lecture 2

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Block encryption of quantum messages

G Advanced Cryptography April 10th, Lecture 11

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Transcription:

Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands 3 University of Amsterdam, CWI, QuSoft, The Netherlands Crypto Working Group, Utrecht, NL 24/03/2017

Introduction 2

Symmetric encryption E = (Kg, Enc, Dec) Plaintext m r Randomness Enc Ciphertext Secret key k Plaintext m Dec Ciphertext 3

Adversaries I: Classical Security E Adversary = probabilistic polynomial time (PPT) algorithm 4

Adversaries II: Post-Quantum Security E Adversary = bounded-error quantum polynomial time (BQP) algorithm 5

Adversaries III: Quantum Security E Adversary = bounded-error quantum polynomial time (BQP) algorithm 6

Why should we care? 1. Use in protocols 2. Quantum cloud 3. Quantum obfuscation 4. Side-channel attacks that trigger some measurable quantum behaviour 5. Oh, and because we can! 7

Semantic security (SEM) Simulation-based security notion Captures intuition: It should not be possible to learn anything about the plaintext given the ciphertext which you could not also have learned without the ciphertext. 8

Semantic security (SEM): Challenge phase (S n, h, f) (c, h(m)) m S n, c = Enc k m, A (f(m)) C A cannot do significantly better in the above game than a simulator S that does not receive c. 9

Indistinguishability (IND) (of ciphertexts) Pure game-based notion (no simulator) Easier to work with than SEM Intuition: You cannot distinguish the encryptions of two messages of your choice Shown to be equivalent to SEM! 10

Indistinguishability (IND): Challenge phase (m 1, m 2 ) c b R {0, 1}, c = Enc k m b, b A C A cannot output correct b with significantly bigger probability than guessing. 11

Chosen plaintext attacks (CPA) Adversary might learn encryptions of known messages To model worst case: Let adversary chose messages Can be combined with both security notions IND & SEM Normally: Learning phases before & after challenge phase 12

CPA Learning phase m c c = Enc k m A C A can ask q poly(n) queries in all learning phases. 13

IND-CPA Learning I m c c = Enc k m, A Learning II Challenge (m 1, m 2 ) c m c b R {0, 1}, c = Enc k m b, c = Enc k m, C Finish b A cannot output correct b with significantly bigger probability than guessing. 14

Quantum security notions 15

Previous work [BZ13] Boneh, Zhandry: "Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World", CRYPTO'13 Model encryption as unitary operator defined by: x,y x, y x,y x, y Enc k (x) (where Enc k ( ) is a classical encryption function) 16

Indistinguishability under quantum chosen message attacks (IND-qCPA) Give adversary quantum access in learning phase Classical challenge phase 17

IND-qCPA x, y (m 1, m 2 ) c x, y x, y Enc k (x) b R {0, 1}, c = Enc k m b, A x, y b x, y x, y Enc k (x) A cannot output correct b with significantly bigger probability than guessing. 18 C

Indistinguishability under quantum chosen message attacks (IND-qCPA) Give adversary quantum access in learning phase Classical challenge phase Can be proven strictly stronger than IND-CPA Why would you do this? If we assume adversary has quantum access, why not also when it tries to learn something new? 19

Fully-quantum indistinguishability under quantum chosen message attacks (fqind-qcpa) Give adversary quantum access in learning phase Quantum challenge phase 20

fqind-qcpa x, y A x 1, x 2, y x, y b x, y x, y Enc k (x) b R {0,1}, x 1, x 2, y x 1, x 2, y Enc k (x b ) x, y x, y Enc k (x) C A cannot output correct b with significantly bigger probability than guessing. 21

fqind is unachievable [BZ13] 22

fqind is unachievable [BZ13] 23

fqind is unachievable [BZ13] 24

[BZ13] & our contribution 25

[BZ13] & our contribution 26

How to define qind-qcpa? 27

How to define qind-qcpa? 28

How to define qind-qcpa? 29

How to define qind-qcpa? 30

Model: (O) vs (C) (O) (C) 31

Model: (Q) vs (c) (Q) (c) 32

Model: Type (1) vs type (2) Type (1) Type (2) 33

Quantum indistinguishability (qind) 34

Quantum indistinguishability (qind) 35

Separation example 36

Separation example 37

Separation example 38

Impossibility result 39

Impossibility result 40

The attack 41

The attack 42

The attack 43

The attack 44

The attack 45

The attack 46

The attack 47

The solution 48

The solution 49

The solution 50

The solution 51

The solution 52

Secure Construction 53

Conclusion 54

Thank you! Questions? https://eprint.iacr.org/2015/355 55

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback