cryptosystems in a
play

CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University - PowerPoint PPT Presentation

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without trusted setup and with small


  1. CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry – Stanford University * Joint work with Dan Boneh

  2. But First: My Current Work Indistinguishability Obfuscation (and variants) • Multiparty NIKE without trusted setup and with small parameters • Broadcast encryption with short ciphertexts and secret/public keys • Traitor tracing with short ciphertexts and secret/public keys • More to come Talk at NYU 2:30pm Tomorrow (11/20). Ask me for details Multilinear Maps • Can above primitives be built directly from multilinear maps?

  3. Back to Quantum

  4. Classical Crypto Ex: CCA encryption sk pk c = E(pk,m) Computational power and interactions are classical

  5. Quantum Computing Attack Aka: Post-quantum crypto Adversary has quantum computer: sk = (N,d) pk = (N,e) c = E(pk,m) N  p,q ( Shor’s alg) Interactions remain d = e -1 mod ϕ (N) classical m = D(sk,c)

  6. Defending against Quantum Computing Attacks Need crypto based on hard problems for quantum computers • Ex: lattice problems Classical security proofs (reductions) often carry through • Many reductions treat adversary as black box • Classical interactions  simulate adversary using classical techniques • Ex: OWF  PRF, IBE  CCA encryption, etc. • Exception: rewinding

  7. This Talk: Quantum Channel Attacks All parties have quantum computers sk pk c = E(pk,m) Computational power and interactions are quantum

  8. Quantum Background x = Measurement: x x (Output x with probability |α x | 2 ) Can perform any classical op: y = x F

  9. Motivation Objection: Can always measure incoming query sk pk c = E(pk,m) Attack reduced to classical channel attack

  10. Motivation Objection: Can always measure incoming query Answer: Implementing measurement securely is non-trivial • Measurement is physical – must trust hardware • What if adversary has access to device? • Only way to be certain: entangle fully with query • Requires quantum storage ≥ total data measured. Conservative approach to crypto: Use schemes secure against quantum channel attacks

  11. Proving Quantum Security Main difficulty: simulation • Adversary may query on superposition of all inputs • Exact simulation: • need an answer at every point • Distribution of all answers must be same as real setting Possible solutions: • Find reduction that answers every point correctly • Distribution of answers indistinguishable from real setting • Answer incorrectly on some inputs*

  12. What’s to come • Encryption • Pseudorandom functions • Message authentication codes • Signatures (if time)

  13. Encryption

  14. Quantum CCA Attack pk (sk,pk)  G() b  {0,1} CCA Queries c’ D sk > m ’ Challenge m b E pk > D c (sk,c ’)= D(sk,c ’) if c’≠c CCA Queries b’ c’ ⊥ if c’=c D c m ’ sk >

  15. Proving security against quantum CCA Goal: find reduction that can decrypt all queries except challenge Reduction can compute all decryption keys except challenge Example: ABB’10 selective IBE + selective IBE  CCA Reduction can decrypt every ciphertext but challenge • Needs all decryption keys but challenge

  16. Pseudorandom Functions

  17. Pseudorandom Functions Recall classical def: b  {0,1} b=0: b=1: k  K F  Funcs(X,Y) F( ・ )=F(k, ・ ) x F y b’

  18. Quantum Security for PRFs b  {0,1} b=0: b=1: k  K F  Funcs(X,Y) F( ・ )=F(k, ・ ) x F y b’

  19. The GGM Construction

  20. Pseudorandom Generators S s Y G ≈ y G 0 (s) G 1 (s)

  21. The GGM Construction S k x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) F k (001) F k (010) F k (011) F k (100) F k (101) F k (110) F k (111)

  22. Quantum Security Proof? Follow classical steps: Step 1: Hybridize over levels of tree

  23. Hybridize Over Levels Hybrid 0

  24. Hybridize Over Levels Hybrid 1

  25. Hybridize Over Levels Hybrid 2

  26. Hybridize Over Levels Hybrid 3

  27. Hybridize Over Levels Hybrid n

  28. Hybridize Over Levels PRF distinguisher will distinguish two adjacent hybrids Y Y Y Y Y Y Y Y Y Y Y Y

  29. Hybridize Over Levels PRF distinguisher will distinguish two adjacent hybrids S S S S S S S S Y Y Y Y Y Y Y Y

  30. Quantum Security Proof? Follow classical steps: ✓ Step 1: Hybridize over levels of tree Step 2: Simulate hybrids using PRG/Random samples

  31. Simulating Hybrids S S S Y Y Y S S S S S S S S Y Y Y Y Y Y Y Y

  32. How It Was Done Classically Active node: value used to answer query Only need to fill active nodes Adversary only queries polynomial number of points

  33. Quantum Simulation? Adversary can query on all exponentially-many inputs

  34. Quantum Simulation? All nodes are active! Adversary can query on all exponentially-many inputs Cannot simulate exactly with polynomial samples!

  35. A Distribution to Simulate Any distribution D on values induces a distribution on functions For all x ∈ X : y x  D H(x) = y x D D D D D D D D D D D D D D D D H : D x

  36. Simulating Hybrids Goal: simulate D X using poly samples of D G X U X S S S S S S S S Y Y Y Y Y Y Y Y

  37. Attempt 1: Systematic D D D D y 1 y 2 y 3 y 4 H(x) = y x mod r y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 H is periodic  period learnable by quantum algorithms

  38. Attempt 2: Random D D D D y 1 y 2 y 3 y 4 R  Funcs([r],X) H(x) = y R(x) y 4 y 3 y 1 y 3 y 2 y 4 y 4 y 4 y 1 y 2 y 2 y 2 y 2 y 3 y 3 y 2 X (D) Called small range distributions, SR r

  39. Small Range Distributions Theorem : SR r X (D) is indistinguishable from D X by any q - query quantum algorithm, except with probability O(q 3 /r) Notes: • Highly non-trivial • Distinguishing prob not negligible, but good enough • We get to choose r • Random function R not efficiently constructible • [Zha’12a] Can simulate R using k -wise independence

  40. Quantum GGM Proof S S S S S S S S Y Y Y Y Y Y Y Y PRF distinguisher will distinguish two adjacent hybrids ≈ ≈ (SR distributions) (SR distributions) S S S S Y Y Y Y

  41. Quantum Security Proof? Follow classical steps: ✓ Step 1: Hybridize over levels of tree Step 2: Simulate hybrids approximately using ✓ PRG/Random samples ✓ Step 3: Hybrid over samples

  42. Quantum GGM Proof S S S S S S S S Y Y Y Y Y Y Y Y PRF distinguisher will distinguish two adjacent hybrids ≈ ≈ (SR distributions) (SR distributions) S S S S Y Y Y Y ≈ (PRG security)

  43. Message Authentication Codes (MACs)

  44. Message Authentication Codes (MACs) Recall classical def: K  {0,1} λ m 1 m i m 2 S k > σ i … m,σ Requirements: V( k,m,σ ) accepts, m ≠ m i for any i

  45. Quantum Security? K  {0,1} λ m ? 1 m i m 2 S k > σ i … m,σ Cannot copy quantum info! Requirements: • Must define success without V( k,m,σ ) accepts, reference to queries m ≠ m i for any i

  46. Quantum Security K  {0,1} λ q queries m i S k > σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Adversary must produce q+1 (distinct) forgeries after making q queries

  47. PRF as a MAC Try classical construction: σ x x S S F F k k > > = σ =F(x) accept/reject

  48. Security of PRF as a MAC K  {0,1} λ q queries m i F k > σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Adversary must produce q+1 (distinct) input/output pairs of F after making q queries

  49. Security of PRF as a MAC Replace F with a random function F  Funcs(M,T) q queries m i F σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Oracle Interrogation: Adversary must produce q+1 (distinct) input/output pairs of random function after making q queries

  50. Quantum Oracle Interrogation Classically: hard Adv[ q+1 points]: 1/|T| ( 1/2 n for n -bit tags) Quantum: not so fast [vD’98]: random function F: X  {0,1} q quantum queries ⇒ 1.9q points w.h.p. Also true for small range size: random function F: X  {0,1} 2 ex: q quantum queries ⇒ 1.3q points w.h.p. Question: What about large range size?

  51. Quantum Oracle Interrogation Our result: Theorem: Random function F: X  T Adv[ q queries ⇒ q+1 points] ≤ (q+1)/|T| (only lose factor of q+1 relative to classical case) Highly nontrivial • Invented new quantum impossibility tool: The Rank Method Takeaway: Quantum Oracle Interrogation easier, but still hard

  52. Back to MAC Security Classical CMA: secure PRF ⇒ secure MAC (Adv: 1/|T| ) Quantum CMA: quantum-secure PRF ⇒ quantum-secure MAC (Adv: (q+1)/|T| ) Both cases: MAC size super-logarithmic ⇒ MAC is secure

  53. Signatures

  54. Signatures Naturally extend MAC definition pk (sk,pk)  G() q queries m i S sk > σ i (m 0 *,σ 0 *),..., (m q *, σ q *)

  55. Proof Difficulties Aborts are problematic • Can’t both abort and continue Adversary can tell if signatures are invalid • Need to sign all messages correctly Previous quantum proof techniques leave query intact • Known limitations in quantum setting: • MPC [ DFNS’11 ] • Fiat-Shamir in QROM [ DFG’13 ] • Cannot prove security for unique signatures (Ex: Lamport)

  56. Building Quantum-Secure Signatures First attempt: do classical constructions work? Examples: • From lattices [ CHKP ’10, ABB’ 10 ] • Using random oracles [ BR ’93, GPV’08 ] • From generic assumptions [ Rom ’ 90 ] Short answer: sometimes yes, with small modifications

Recommend


More recommend