cryptography in the age of quantum computers
play

Cryptography in the Age of Quantum Computers Mark Zhandry MIT - PowerPoint PPT Presentation

Cryptography in the Age of Quantum Computers Mark Zhandry MIT Based on joint works with: Dan Boneh, zgr Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner Typical Crypto Application m ! Solution: (Private Key) Encryption c ! c


  1. Cryptography in the Age of Quantum Computers Mark Zhandry – MIT Based on joint works with: Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner

  2. Typical Crypto Application m !

  3. Solution: (Private Key) Encryption c ! c = Enc( , m) ! m = Dec( , c) ! c ! + ! � m ! Major question: How is security defined?

  4. Definition 1: 1-time security For any m 0 ,m 1 : ≈! c 0 = Enc( , m 0 ) ! c 1 = Enc( , m 1 ) ! Statistical security: statistical closeness • [Sha’49]: | | ≥ |m| ! Computational security: computational indistinguishability • Restrict adversaries running efficiently • Now possible to have | | << |m| ! Question : what if I encrypt a second message?

  5. Definition 2: CPA Security Indistinguishability under chosen plaintext attack Challenger Adversary Random bit b , Random key m 0 , m 1 ! c = Enc( , m b ) ! c ! b’ ! Def: CPA-Security � � efficient , | Pr[b’=b] – � | < negl !

  6. Definition 3: CCA Security Indistinguishability under chosen ciphertext attack Challenger Adversary Random bit b , Random key Empty table T ! m 0 , m 1 ! c = Enc( , m b ) ! c ! Add c to T ! c ! m = Dec( , c) ! m if c � T ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  7. Other Scenarios Circular security: Enc( , ) ! Side-channel attacks: f( ) ! Takeaway: Models should give adversary as much power as possible !

  8. Quantum Computers So far, assumed adversary obeys classical physics What about quantum physics? Quantum computing = using quantum physics to perform certain computations • Active research area • [Sho’94]: quantum computers can break lots of crypto

  9. Post-Quantum CCA Security Interaction still classical Challenger Adversary Random bit b , Random key Empty table T ! m 0 , m 1 ! c = Enc( , m b ) ! c ! Add c to T ! c ! m = Dec( , c) ! m if c � T ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  10. Post-Quantum Security Post-quantum = end-users are classical All interaction is classical

  11. Full Quantum Security Full quantum = end-users are quantum Quantum messages

  12. Quantum Background Quantum states: m = superposition of all messages = �� m |m ⟩ ( � | � m | 2 = 1) ! Measurement: m m with probability | � m | 2 ! Simulate classical ops in superposition: m F(m) ! = �� m |F(m) ⟩ F !

  13. Full Quantum CCA Security? Challenger Adversary Random bit b , Random key m 0 , m 1 ! c = Enc( , m b ) ! c ! c ! m = Dec( , c ) ! m ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  14. Are Full Quantum Attacks Plausible? Objection: can always “classicalize” by sampling m ! m ! c ! � Reduce attack to post-quantum attack! Reasons to still use full quantum notions: • Classicalization is burden on hardware designer • What if adversary can bypass? • Classicalization amounts to a hardware assumption

  15. This Work [BDFLSZ’11,Zha’12a,Zha’13]: Quantum random oracle model [Zha’12b]: Pseudorandom functions [BZ’13a]: Message Authentication Codes [BZ’13b]: Digital signatures and encryption Theorem: Full-quantum security > Post-quantum security ! Theorem (Informal): Full-quantum security can be obtained with “minimal” overhead w.r.t. post-quantum security !

  16. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Classical security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: Security � � efficient , | Pr[b’=b] – � | < negl !

  17. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Post-quantum security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: PQ-Security � � efficient , | Pr[b’=b] – � | < negl !

  18. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Full-quantum security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: FQ-Security � � efficient , | Pr[b’=b] – � | < negl !

  19. How to build QPRFs? Hope that existing PQ-secure PRFs are FQ secure Examples: GGM, NR, BPR Questions: • Do classical security analyses carry over? • If not, what new tools are needed?

  20. Pseudorandom Generators S ! s ! Y ! G ! ≈! G 0 (s) ! G 1 (s) ! y ! Indistinguishable by efficient quantum adversaries

  21. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  22. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  23. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  24. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  25. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  26. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  27. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher Step 1: Hybridize over levels of tree

  28. Hybridize Over Levels S ! Hybrid 0 :

  29. Hybridize Over Levels S ! S ! Hybrid 1 :

  30. Hybridize Over Levels Hybrid 2 : S ! S ! S ! S !

  31. Hybridize Over Levels Hybrid 3 : S ! S ! S ! S ! S ! S ! S ! S !

  32. Hybridize Over Levels Hybrid n : S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S !

  33. Hybridize Over Levels Distinguish PRF from Func(X,Y) with adv. ε Distinguish two adjacent hybrids with adv. ε /n ! n polynomial � acceptable loss S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S !

  34. Hybridize Over Levels Distinguish PRF from Func(X,Y) with adv. ε Distinguish two adjacent hybrids with adv. ε /n ! n polynomial � acceptable loss S ! S ! S ! S ! S ! S ! S ! S ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Argument carries over to quantum setting unmodified

  35. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree Step 2: Simulate hybrids using PRG/Random samples

  36. Simulating Hybrids S ! S ! S ! Y ! Y ! Y ! Distinguisher for several samples S ! S ! S ! S ! S ! S ! S ! S ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Hybrid distinguisher

  37. How It Was Done Classically Active node: value used to answer query � need poly-many samples Only need to fill active nodes Adversary only queries polynomial number of points

  38. Quantum Simulation? Adversary can query on all exponentially-many inputs

  39. Quantum Simulation? All nodes are active! Adversary can query on all exponentially-many inputs Need exponentially many samples to simulate!

  40. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree ? Step 2: Simulate hybrids using PRG/Random samples Step 3: Hybrid over samples

  41. Hybrid Over Samples S ! S ! S ! Y ! Y ! Y ! Distinguisher for t samples with advantage ε S ! Distinguisher for 1 sample Y ! with advantage ε /t ! Argument carries over to quantum setting unmodified

  42. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree ? Step 2: Simulate hybrids using PRG/Random samples � Step 3: Hybrid over samples • Exponential samples � exponential security loss • Can only handle poly-many samples

  43. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree X Step 2: Simulate hybrids using PRG/Random samples � Step 3: Hybrid over samples • Exponential samples � exponential security loss • Can only handle poly-many samples

  44. A Distribution to Simulate Distribution D on Y � induces distribution on functions For all x � X : ! y x ! D ! ! H(x) = y x D D D D D D D D D D D D D D D D H : H ! D X ! Goal: simulate using poly-many samples

  45. Solution: Small-Range Distributions D D D R ! Funcs(X, [r]) ! H(x) = y R(x) ! … ! y 1 ! y 2 ! y r ! y 4 ! y 3 ! y 1 ! y 3 ! y 2 ! y 4 ! y 4 ! y 4 ! y 1 ! y 2 ! y 2 ! y 2 ! y 2 ! y 3 ! y 3 ! y 2 ! H : H ! SR r X (D) !

  46. Small-Range Distributions Theorem : SR r X (D) is indistinguishable from D X by any q - query quantum algorithm, except with advantage O(q 3 /r) ! Notes: • Highly non-trivial • Distinguishing prob not negligible, but good enough • We get to choose r ! • Random function R not efficiently constructible Theorem : Can simulate R using k -wise independence

Recommend


More recommend