Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands 3 University of Amsterdam, CWI, QuSoft, The Netherlands Crypto Working Group, Utrecht, NL 24/03/2017
Introduction 2
Symmetric encryption E = (Kg, Enc, Dec) Plaintext m r Randomness Enc Ciphertext Secret key k Plaintext m Dec Ciphertext 3
Adversaries I: Classical Security E Adversary = probabilistic polynomial time (PPT) algorithm 4
Adversaries II: Post-Quantum Security E Adversary = bounded-error quantum polynomial time (BQP) algorithm 5
Adversaries III: Quantum Security E Adversary = bounded-error quantum polynomial time (BQP) algorithm 6
Why should we care? 1. Use in protocols 2. Quantum cloud 3. Quantum obfuscation 4. Side-channel attacks that trigger some measurable quantum behaviour 5. Oh, and because we can! 7
Semantic security (SEM) Simulation-based security notion Captures intuition: It should not be possible to learn anything about the plaintext given the ciphertext which you could not also have learned without the ciphertext. 8
Semantic security (SEM): Challenge phase (S n, h, f) (c, h(m)) m S n, c = Enc k m, A (f(m)) C A cannot do significantly better in the above game than a simulator S that does not receive c. 9
Indistinguishability (IND) (of ciphertexts) Pure game-based notion (no simulator) Easier to work with than SEM Intuition: You cannot distinguish the encryptions of two messages of your choice Shown to be equivalent to SEM! 10
Indistinguishability (IND): Challenge phase (m 1, m 2 ) c b R {0, 1}, c = Enc k m b, b A C A cannot output correct b with significantly bigger probability than guessing. 11
Chosen plaintext attacks (CPA) Adversary might learn encryptions of known messages To model worst case: Let adversary chose messages Can be combined with both security notions IND & SEM Normally: Learning phases before & after challenge phase 12
CPA Learning phase m c c = Enc k m A C A can ask q poly(n) queries in all learning phases. 13
IND-CPA Learning I m c c = Enc k m, A Learning II Challenge (m 1, m 2 ) c m c b R {0, 1}, c = Enc k m b, c = Enc k m, C Finish b A cannot output correct b with significantly bigger probability than guessing. 14
Quantum security notions 15
Previous work [BZ13] Boneh, Zhandry: "Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World", CRYPTO'13 Model encryption as unitary operator defined by: x,y x, y x,y x, y Enc k (x) (where Enc k ( ) is a classical encryption function) 16
Indistinguishability under quantum chosen message attacks (IND-qCPA) Give adversary quantum access in learning phase Classical challenge phase 17
IND-qCPA x, y (m 1, m 2 ) c x, y x, y Enc k (x) b R {0, 1}, c = Enc k m b, A x, y b x, y x, y Enc k (x) A cannot output correct b with significantly bigger probability than guessing. 18 C
Indistinguishability under quantum chosen message attacks (IND-qCPA) Give adversary quantum access in learning phase Classical challenge phase Can be proven strictly stronger than IND-CPA Why would you do this? If we assume adversary has quantum access, why not also when it tries to learn something new? 19
Fully-quantum indistinguishability under quantum chosen message attacks (fqind-qcpa) Give adversary quantum access in learning phase Quantum challenge phase 20
fqind-qcpa x, y A x 1, x 2, y x, y b x, y x, y Enc k (x) b R {0,1}, x 1, x 2, y x 1, x 2, y Enc k (x b ) x, y x, y Enc k (x) C A cannot output correct b with significantly bigger probability than guessing. 21
fqind is unachievable [BZ13] 22
fqind is unachievable [BZ13] 23
fqind is unachievable [BZ13] 24
[BZ13] & our contribution 25
[BZ13] & our contribution 26
How to define qind-qcpa? 27
How to define qind-qcpa? 28
How to define qind-qcpa? 29
How to define qind-qcpa? 30
Model: (O) vs (C) (O) (C) 31
Model: (Q) vs (c) (Q) (c) 32
Model: Type (1) vs type (2) Type (1) Type (2) 33
Quantum indistinguishability (qind) 34
Quantum indistinguishability (qind) 35
Separation example 36
Separation example 37
Separation example 38
Impossibility result 39
Impossibility result 40
The attack 41
The attack 42
The attack 43
The attack 44
The attack 45
The attack 46
The attack 47
The solution 48
The solution 49
The solution 50
The solution 51
The solution 52
Secure Construction 53
Conclusion 54
Thank you! Questions? https://eprint.iacr.org/2015/355 55