cryptography in the age of quantum computers
play

Cryptography in the Age of Quantum Computers Mark Zhandry MIT - PowerPoint PPT Presentation

Dec 30, 2023 •279 likes •865 views

Cryptography in the Age of Quantum Computers Mark Zhandry MIT Based on joint works with: Dan Boneh, zgr Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner Typical Crypto Application m ! Solution: (Private Key) Encryption c ! c

  1. Cryptography in the Age of Quantum Computers Mark Zhandry – MIT Based on joint works with: Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner

  2. Typical Crypto Application m !

  3. Solution: (Private Key) Encryption c ! c = Enc( , m) ! m = Dec( , c) ! c ! + ! � m ! Major question: How is security defined?

  4. Definition 1: 1-time security For any m 0 ,m 1 : ≈! c 0 = Enc( , m 0 ) ! c 1 = Enc( , m 1 ) ! Statistical security: statistical closeness • [Sha’49]: | | ≥ |m| ! Computational security: computational indistinguishability • Restrict adversaries running efficiently • Now possible to have | | << |m| ! Question : what if I encrypt a second message?

  5. Definition 2: CPA Security Indistinguishability under chosen plaintext attack Challenger Adversary Random bit b , Random key m 0 , m 1 ! c = Enc( , m b ) ! c ! b’ ! Def: CPA-Security � � efficient , | Pr[b’=b] – � | < negl !

  6. Definition 3: CCA Security Indistinguishability under chosen ciphertext attack Challenger Adversary Random bit b , Random key Empty table T ! m 0 , m 1 ! c = Enc( , m b ) ! c ! Add c to T ! c ! m = Dec( , c) ! m if c � T ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  7. Other Scenarios Circular security: Enc( , ) ! Side-channel attacks: f( ) ! Takeaway: Models should give adversary as much power as possible !

  8. Quantum Computers So far, assumed adversary obeys classical physics What about quantum physics? Quantum computing = using quantum physics to perform certain computations • Active research area • [Sho’94]: quantum computers can break lots of crypto

  9. Post-Quantum CCA Security Interaction still classical Challenger Adversary Random bit b , Random key Empty table T ! m 0 , m 1 ! c = Enc( , m b ) ! c ! Add c to T ! c ! m = Dec( , c) ! m if c � T ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  10. Post-Quantum Security Post-quantum = end-users are classical All interaction is classical

  11. Full Quantum Security Full quantum = end-users are quantum Quantum messages

  12. Quantum Background Quantum states: m = superposition of all messages = �� m |m ⟩ ( � | � m | 2 = 1) ! Measurement: m m with probability | � m | 2 ! Simulate classical ops in superposition: m F(m) ! = �� m |F(m) ⟩ F !

  13. Full Quantum CCA Security? Challenger Adversary Random bit b , Random key m 0 , m 1 ! c = Enc( , m b ) ! c ! c ! m = Dec( , c ) ! m ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  14. Are Full Quantum Attacks Plausible? Objection: can always “classicalize” by sampling m ! m ! c ! � Reduce attack to post-quantum attack! Reasons to still use full quantum notions: • Classicalization is burden on hardware designer • What if adversary can bypass? • Classicalization amounts to a hardware assumption

  15. This Work [BDFLSZ’11,Zha’12a,Zha’13]: Quantum random oracle model [Zha’12b]: Pseudorandom functions [BZ’13a]: Message Authentication Codes [BZ’13b]: Digital signatures and encryption Theorem: Full-quantum security > Post-quantum security ! Theorem (Informal): Full-quantum security can be obtained with “minimal” overhead w.r.t. post-quantum security !

  16. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Classical security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: Security � � efficient , | Pr[b’=b] – � | < negl !

  17. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Post-quantum security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: PQ-Security � � efficient , | Pr[b’=b] – � | < negl !

  18. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Full-quantum security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: FQ-Security � � efficient , | Pr[b’=b] – � | < negl !

  19. How to build QPRFs? Hope that existing PQ-secure PRFs are FQ secure Examples: GGM, NR, BPR Questions: • Do classical security analyses carry over? • If not, what new tools are needed?

  20. Pseudorandom Generators S ! s ! Y ! G ! ≈! G 0 (s) ! G 1 (s) ! y ! Indistinguishable by efficient quantum adversaries

  21. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  22. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  23. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  24. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  25. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  26. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  27. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher Step 1: Hybridize over levels of tree

  28. Hybridize Over Levels S ! Hybrid 0 :

  29. Hybridize Over Levels S ! S ! Hybrid 1 :

  30. Hybridize Over Levels Hybrid 2 : S ! S ! S ! S !

  31. Hybridize Over Levels Hybrid 3 : S ! S ! S ! S ! S ! S ! S ! S !

  32. Hybridize Over Levels Hybrid n : S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S !

  33. Hybridize Over Levels Distinguish PRF from Func(X,Y) with adv. ε Distinguish two adjacent hybrids with adv. ε /n ! n polynomial � acceptable loss S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S !

  34. Hybridize Over Levels Distinguish PRF from Func(X,Y) with adv. ε Distinguish two adjacent hybrids with adv. ε /n ! n polynomial � acceptable loss S ! S ! S ! S ! S ! S ! S ! S ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Argument carries over to quantum setting unmodified

  35. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree Step 2: Simulate hybrids using PRG/Random samples

  36. Simulating Hybrids S ! S ! S ! Y ! Y ! Y ! Distinguisher for several samples S ! S ! S ! S ! S ! S ! S ! S ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Hybrid distinguisher

  37. How It Was Done Classically Active node: value used to answer query � need poly-many samples Only need to fill active nodes Adversary only queries polynomial number of points

  38. Quantum Simulation? Adversary can query on all exponentially-many inputs

  39. Quantum Simulation? All nodes are active! Adversary can query on all exponentially-many inputs Need exponentially many samples to simulate!

  40. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree ? Step 2: Simulate hybrids using PRG/Random samples Step 3: Hybrid over samples

  41. Hybrid Over Samples S ! S ! S ! Y ! Y ! Y ! Distinguisher for t samples with advantage ε S ! Distinguisher for 1 sample Y ! with advantage ε /t ! Argument carries over to quantum setting unmodified

  42. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree ? Step 2: Simulate hybrids using PRG/Random samples � Step 3: Hybrid over samples • Exponential samples � exponential security loss • Can only handle poly-many samples

  43. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree X Step 2: Simulate hybrids using PRG/Random samples � Step 3: Hybrid over samples • Exponential samples � exponential security loss • Can only handle poly-many samples

  44. A Distribution to Simulate Distribution D on Y � induces distribution on functions For all x � X : ! y x ! D ! ! H(x) = y x D D D D D D D D D D D D D D D D H : H ! D X ! Goal: simulate using poly-many samples

  45. Solution: Small-Range Distributions D D D R ! Funcs(X, [r]) ! H(x) = y R(x) ! … ! y 1 ! y 2 ! y r ! y 4 ! y 3 ! y 1 ! y 3 ! y 2 ! y 4 ! y 4 ! y 4 ! y 1 ! y 2 ! y 2 ! y 2 ! y 2 ! y 3 ! y 3 ! y 2 ! H : H ! SR r X (D) !

  46. Small-Range Distributions Theorem : SR r X (D) is indistinguishable from D X by any q - query quantum algorithm, except with advantage O(q 3 /r) ! Notes: • Highly non-trivial • Distinguishing prob not negligible, but good enough • We get to choose r ! • Random function R not efficiently constructible Theorem : Can simulate R using k -wise independence

Recommend

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction &quot; Cryptography and Relativity &quot; Quantum Algorithms &quot; Quantum Computers !

227 views • 11 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Quantum Cryptography Mris Ozols University of Cambridge Overview What are quantum

Quantum Cryptography Mris Ozols University of Cambridge Overview What are quantum

Quantum Cryptography Mris Ozols University of Cambridge Overview What are quantum computers? What is quantum cryptography? - Shor's algorithm for factoring - Quantum key distribution - Device-independent quantum cryptography What

630 views • 34 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist? Geordie Rose and his D-Wave quantum computer Commercial devices Quantum cryptography device by id

1.29k views • 112 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; &amp; Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information (and generate

455 views • 19 slides
COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTING COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules to perform calculations billions of times faster than todays silicon-based computers. They will also enable new revolutionary

299 views • 6 slides
Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice outwits Eve, by Samuel Lomonaco Jr. and Quantum Computing by Andr Bertiaume. The Classical World - Bits either 0 or 1. - Bits can be copied.

639 views • 11 slides
Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do? Outline Quantum technology Quantum computing What is the advantage? The qubits Operating the quantum computer Quantum computing initiatives

475 views • 31 slides
Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum Computers are just like regular computers, they crunch numbers Quantum Computers Quantum Computers are just like regular computers, they crunch

926 views • 74 slides
You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 April 2016 1 / 33 Cryptography Motivation

1.01k views • 57 slides
Quantum Weirdness Part 6 Quantum Weirdness in Materials Quantum Cryptography Quantum

Quantum Weirdness Part 6 Quantum Weirdness in Materials Quantum Cryptography Quantum

Quantum Weirdness Part 6 Quantum Weirdness in Materials Quantum Cryptography Quantum Teleportation Quantum Snake Oil Quantum Weirdness in Materials Why Materials Behave as they do Combining Atoms Into Molecules Molecular Orbital Theory

1.17k views • 72 slides
Quantum computers: the future attack that breaks todays messages Daniel J. Bernstein &amp;

Quantum computers: the future attack that breaks todays messages Daniel J. Bernstein &amp;

Quantum computers: the future attack that breaks todays messages Daniel J. Bernstein &amp; Tanja Lange University of Illinois at Chicago &amp; Technische Universiteit Eindhoven 14 December 2018 Cryptography Motivation #1:

950 views • 78 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp; http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Quantum Cryptography 1. Fake Quantum Theory. 2. Simple Quantum Protocols. 3. More Fake Quantum

Quantum Cryptography 1. Fake Quantum Theory. 2. Simple Quantum Protocols. 3. More Fake Quantum

Contents: Quantum Cryptography 1. Fake Quantum Theory. 2. Simple Quantum Protocols. 3. More Fake Quantum Theory: Fake Tensor Products, Entanglement. 4. A Glance at Genuine Quantum Theory. 5. Quantum Computing, Shors

559 views • 8 slides
Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A

Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A

Why Quantum . . . Quantum . . . Remaining Problems . . . Quantum Physics: . . . Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A General Family of . . . Is Optimal: A Proof What Do We Want to . . .

818 views • 40 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Single quantum dots as artificial atoms, quantum optics and quantum cryptography at the Tyndall

Single quantum dots as artificial atoms, quantum optics and quantum cryptography at the Tyndall

Single quantum dots as artificial atoms, quantum optics and quantum cryptography at the Tyndall National Institute. E. Pelucchi Collaborators: T. H. Chung, G. Juska, V. Dimastrodonato, S. T. Moroni, A. Pescaglini, E. Mura and A. Gocalinska

693 views • 45 slides

More recommend