What are we talking about when we talk about post-quantum cryptography?

Similar documents
Quantum-secure symmetric-key cryptography based on Hidden Shifts

The quantum threat to cryptography

Cryptographical Security in the Quantum Random Oracle Model

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Quantum Differential and Linear Cryptanalysis

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Cryptographic Protocols Notes 2

BEYOND POST QUANTUM CRYPTOGRAPHY

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Cryptography in a quantum world

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Quantum-resistant cryptography

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

ECS 189A Final Cryptography Spring 2011

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Hacking Quantum Cryptography. Marina von Steinkirch ~ Yelp Security

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lossy Trapdoor Functions and Their Applications

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Quantum Cryptography

The Elliptic Curve in https

Post-Quantum Cryptography & Privacy. Andreas Hülsing

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Short generators without quantum computers: the case of multiquadratics

A survey on quantum-secure cryptographic systems

Quantum Computing. Richard Jozsa Centre for Quantum Information and Foundations DAMTP University of Cambridge

Lecture 1: Introduction to Public key cryptography

Quantum Cryptography

Post-quantum key exchange for the Internet based on lattices

Question: Total Points: Score:

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Quantum Computing: it s the end of the world as we know it? Giesecke+Devrient Munich, June 2018

Post-Quantum Cryptography

Cyber Security in the Quantum Era

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Public-key Cryptography and elliptic curves

Security Implications of Quantum Technologies

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lattice-Based Cryptography

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Lecture 10: Zero-Knowledge Proofs

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Security II: Cryptography exercises

Introduction to Quantum Computing

Middle-Product Learning With Errors

Lecture 15: The Hidden Subgroup Problem

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Lecture 10 - MAC s continued, hash & MAC

9 Knapsack Cryptography

Notes for Lecture 15

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

1 Cryptographic hash functions

A New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring

On error distributions in ring-based LWE

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

LECTURE NOTES ON Quantum Cryptography

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Asymmetric Encryption

Historical cryptography. cryptography encryption main applications: military and diplomacy

Isogenies in a quantum world

Introduction to Quantum Computing

Quantum Computing 101. ( Everything you wanted to know about quantum computers but were afraid to ask. )

Errors, Eavesdroppers, and Enormous Matrices

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

Introduction to Cryptography. Lecture 8

Lecture Notes on Secret Sharing

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

CPSC 467b: Cryptography and Computer Security

Chapter 8 Public-key Cryptography and Digital Signatures

Number Theory in Cryptography

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?

Cryptography IV: Asymmetric Ciphers

Notes for Lecture 17

Post-Quantum Cryptography from Lattices

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 4: DES and block ciphers

Random Oracles in a Quantum World

Transcription:

PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University

PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography & a bite on quantum algorithms Fang Song Portland State University

How does cryptography change in a quantum world? 3

Triumph of modern cryptography Public-key cryptography Digital signature: DSA, Public-key encryption: RSA, Diffie-Hellmann key exchange 2015 A.M. Turing Award Symmetric-key cryptography Cryptographic protocols Block ciphers: AES Cryptographic hash function: SHA-2, Secure two/multi-party computation e-voting, Cryptography: a pillar of security for individuals, organizations and society! 4

Modern cryptography as a science A formal framework: provable security 2012 ACM A.M. Turing Award created mathematical structures that turned cryptography from an art into a science. Crypto scheme Σ Hard problem Π Security Model Security Analysis (Proof) Breaking Σ is as hard as solving Π Computational assumption EX. Factoring & Discrete Log hard to solve 5

Into a quantum world: the dark cat rises Physicists: quantum weirdness Quantum superposition 1 α 0 + β 1 2 ( ALIVE + DEAD ) Qubit Quantum Entanglement Computer scientists Non-classical correlation Spooky action at a distance A. Einstein Quantum gates & circuits 6

How does cryptography change in a quantum world? 7

Quantum attacks 1: break classical foundation Public-key crypto (DSA, RSA,DH, ) Broken! Computational assumption Factoring & Discrete Log hard to solve Factoring/DL Quantum computer can solve them a, fast! a [Shor94] Need: alternative problems to build crypto on Exciting progress: lattice-based, code-based, Question: are the new problems hard for classical & quantum computers? Is this all we need to worry about? 8

Quantum attacks 2: invalidate classical framework Crypto? schemes Lattices, Security Model Security Analysis Computational assumption: hard for quantum computer Alert: unique quantum attacks information-theoretically secure protocol This can happen now! (Technology available) Broken b by quantum entanglement! (vs. shared randomness) b [CSST11] Need: quantum provable-security framework Re-examine EVERY link against quantum attackers L Largely missing in PQC research 9

Any quantum ingredient could be a threat Task Need Availability I Run quantum factoring algorithm (to break public key crypto) Full-scale fault-tolerant QC 2013 2017? II Quantum attack classical crypto Ex. Quantum entanglement Available now 10

How does cryptography change in a quantum world? Post-Quantum Cryptography Hard problems broken Construct on new problems Security framework fail Analyze Security against quantum adv Outperform classical protocols Ex. Quantum key distribution Quantum Cryptography NB. Many already available (even as commercial products) Crypto tools for quantum tasks Ex. Encrypt quantum data 11

This Talk 1 Quantum algorithms A recent breakthrough: quantum algorithm for high-degree number fields Application: break some lattice crypto! The Hidden Subgroup Problem & Quantum Fourier Sampling 2 Examples: classical security framework inadequate Quantum Rewinding Quantum random oracle model Quantum attack on symmetric crypto 12

exponentially Which problems admit faster quantum algorithms than classical algorithms? Poly-time quantum algorithms for: Factoring and discrete logarithm [Shor 94] Basic problems in algebraic number theory Constant degree number fields Unit group Principal ideal problem [Hallgren 02 05,SV05] Class group Arbitrary degree [EHKS STOC14] [BS SODA16] Best known classical algorithms need (at least) sub-exponential time 13

Our quantum algorithms for Unit group, Principal ideal problem Break several lattice-based cryptosystems believed quantum safe before L 14

Breaking some lattice crypto For efficiency, often use problems in lattices w/ more structures Short-PIP Ring-LWE? Bad news: Short-PIP based cryptosystems are broken! Find a short generator of a principal ideal lattice FHE c, Multilinear mapping d, PKE by GCHQ e... broken Short-PIP Our quantum alg s find A generator PIP Classical procedure: reduce size of generator in cyclotomic fields e,f c SmartV10 d GargGH13 e CampellGS15 f CramerDPR15 Find A generator of a principal ideal lattice 15

How do quantum computers solve these problems? 16

The Hidden Subgroup Problem (HSP) framework INPUT Problem Π Reduction HSP on a group G Standard Def.: HSP on finite group G G H x + H f S s I s J Quantum Algorithm OUTPUT Solution to Π Captures most quantum exponential speedup Given: oracle function f: G S, s.t. H G, 1. (Periodic on H) x y H f x = f y 2. (Injective on G/H) x y H f x f y z + H s K Goal: Find (hidden subgroup) H. Continuous G (e.g. R O ) tricky, but we can handle [EHKS14] 17

Interesting HSP instances Computational Problems Factoring Discrete logarithm Number fields (PIP etc.) Simon s problem (Crypto app later) Graph isomorphism Unique shortest vector problem HSP on G Z Z Q Z Q R S(O) O Z T Symmetric group Dihedral group Abelian groups efficient quantum algs Non-abelian Open question:? efficient quantum algs 18

Solving HSP: quantum Fourier sampling Given: oracle f: G S periodic on H & Real Domain G = Z Q 0 r N 1 G = Z G = R r 0 r r 0 r F Z^ F R Fourier Spectrum 0 N/r 2N/r Noise becomes intolerable as dimension grows! 1/r 0 1/r Goal: find H Standard method for finite G 1. Quantum Fourier Sampling: Quantum Fourier transform & measure 2. Recover H from samples Old method for R UVOWXYOX Discretize & Truncate Reduce to finite G Our method for continuous R _ Informal: try to approx. sample the ideal Fourier spectrum directly! 19

This Talk 1 Quantum algorithms A recent breakthrough: quantum algorithm for high-degree number fields Application: break some lattice crypto! The Hidden Subgroup Problem & Quantum Fourier Sampling 2 Examples: classical security framework inadequate Quantum Rewinding Quantum random oracle model Quantum attack on symmetric crypto 20

Recall: classical security framework fails Security model inadequate for quantum attackers Quantum security models: Still at early stage Classical proofs can fail against quantum attackers Many PostQuantumC only consider classical attackers in proofs See more in [Song PQC14] Short vector Lattice L B? Crypto scheme Σ Quantum hard problem Π A breaks Encryption? Assume attacker A breaks scheme Σ, à Construct B from A solving hard problem Π. 21

I. Difficulty of quantum rewinding Rewinding argument Take snapshot of an adversary & continue Later rewind & restart from snapshot Rewinding quantum adversary difficult Cannot copy unknown quantum state Information gain à disturbance on state B A A Only special cases possible g èquantum security of many classical protocols unclear Not often seen in PQC literature? Usually does not affect analysis of encryption, signature, But does matter: e.g. Quantum-secure Identification scheme (to get signature by Fiat-Shamir)? g [Watrous09] 22

II. Hash function: common heuristic fails? Hash functions are everywhere: Signature, message authentication, key derivation, bitcoin, The Random Oracle (RO) heuristic widely used Lazy sampling: decide H on-the-fly Program RO: change H( ) adaptively Ease security proof of hash-based schemes (otherwise impossible) Quantum-accessible Random Oracle Nothing appears to work A lot exciting developement restoring classical proofs x H(x) Hash Function H Σ c x Σ c x H x 23

III. Quantum attacking symmetric crypto 3-round Feistel Cipher CBC-MAC Broken!? [KM10] [KLL+16] [SS 16] Simon s Problem HSP on Z T O Easy on a quantum computer These attacks need specific* quantum model Assume attackers have QUANTUM access to the SECRET enc/auth algorithm * In my opinion unrealistic but still possible Quantum random oracle is more justified Hash functions are public, any (quantum) user can implement it quantumly 24

Concluding Remarks How does cryptography change in a quantum world? Post-Quantum Cryptography Hard problems broken Construct on new problems Security framework fail Analyze Security against quantum adv Need more study on (quantum) hardness Quantum Cryptography Possible complement Be aware and cautious! Many issues unclear 25

I m hiring 2-3 PhD students to work on Quantum algorithms Analyzing quantum security of classical crypto Quantum crypto Maybe 1 Post-doc too Get in touch if interested Check my webpage for more: fangsong.info Email: fang.song@pdx.edu Young but strong in Programming language, machine learning, vision, Portland is absolutely nice in many ways~ Thank you! 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback