cryptosystems in a
play

CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University - PowerPoint PPT Presentation

Jan 27, 2024 •382 likes •1.05k views

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without trusted setup and with small

  1. CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry – Stanford University * Joint work with Dan Boneh

  2. But First: My Current Work Indistinguishability Obfuscation (and variants) • Multiparty NIKE without trusted setup and with small parameters • Broadcast encryption with short ciphertexts and secret/public keys • Traitor tracing with short ciphertexts and secret/public keys • More to come Talk at NYU 2:30pm Tomorrow (11/20). Ask me for details Multilinear Maps • Can above primitives be built directly from multilinear maps?

  3. Back to Quantum

  4. Classical Crypto Ex: CCA encryption sk pk c = E(pk,m) Computational power and interactions are classical

  5. Quantum Computing Attack Aka: Post-quantum crypto Adversary has quantum computer: sk = (N,d) pk = (N,e) c = E(pk,m) N  p,q ( Shor’s alg) Interactions remain d = e -1 mod ϕ (N) classical m = D(sk,c)

  6. Defending against Quantum Computing Attacks Need crypto based on hard problems for quantum computers • Ex: lattice problems Classical security proofs (reductions) often carry through • Many reductions treat adversary as black box • Classical interactions  simulate adversary using classical techniques • Ex: OWF  PRF, IBE  CCA encryption, etc. • Exception: rewinding

  7. This Talk: Quantum Channel Attacks All parties have quantum computers sk pk c = E(pk,m) Computational power and interactions are quantum

  8. Quantum Background x = Measurement: x x (Output x with probability |α x | 2 ) Can perform any classical op: y = x F

  9. Motivation Objection: Can always measure incoming query sk pk c = E(pk,m) Attack reduced to classical channel attack

  10. Motivation Objection: Can always measure incoming query Answer: Implementing measurement securely is non-trivial • Measurement is physical – must trust hardware • What if adversary has access to device? • Only way to be certain: entangle fully with query • Requires quantum storage ≥ total data measured. Conservative approach to crypto: Use schemes secure against quantum channel attacks

  11. Proving Quantum Security Main difficulty: simulation • Adversary may query on superposition of all inputs • Exact simulation: • need an answer at every point • Distribution of all answers must be same as real setting Possible solutions: • Find reduction that answers every point correctly • Distribution of answers indistinguishable from real setting • Answer incorrectly on some inputs*

  12. What’s to come • Encryption • Pseudorandom functions • Message authentication codes • Signatures (if time)

  13. Encryption

  14. Quantum CCA Attack pk (sk,pk)  G() b  {0,1} CCA Queries c’ D sk > m ’ Challenge m b E pk > D c (sk,c ’)= D(sk,c ’) if c’≠c CCA Queries b’ c’ ⊥ if c’=c D c m ’ sk >

  15. Proving security against quantum CCA Goal: find reduction that can decrypt all queries except challenge Reduction can compute all decryption keys except challenge Example: ABB’10 selective IBE + selective IBE  CCA Reduction can decrypt every ciphertext but challenge • Needs all decryption keys but challenge

  16. Pseudorandom Functions

  17. Pseudorandom Functions Recall classical def: b  {0,1} b=0: b=1: k  K F  Funcs(X,Y) F( ・ )=F(k, ・ ) x F y b’

  18. Quantum Security for PRFs b  {0,1} b=0: b=1: k  K F  Funcs(X,Y) F( ・ )=F(k, ・ ) x F y b’

  19. The GGM Construction

  20. Pseudorandom Generators S s Y G ≈ y G 0 (s) G 1 (s)

  21. The GGM Construction S k x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) F k (001) F k (010) F k (011) F k (100) F k (101) F k (110) F k (111)

  22. Quantum Security Proof? Follow classical steps: Step 1: Hybridize over levels of tree

  23. Hybridize Over Levels Hybrid 0

  24. Hybridize Over Levels Hybrid 1

  25. Hybridize Over Levels Hybrid 2

  26. Hybridize Over Levels Hybrid 3

  27. Hybridize Over Levels Hybrid n

  28. Hybridize Over Levels PRF distinguisher will distinguish two adjacent hybrids Y Y Y Y Y Y Y Y Y Y Y Y

  29. Hybridize Over Levels PRF distinguisher will distinguish two adjacent hybrids S S S S S S S S Y Y Y Y Y Y Y Y

  30. Quantum Security Proof? Follow classical steps: ✓ Step 1: Hybridize over levels of tree Step 2: Simulate hybrids using PRG/Random samples

  31. Simulating Hybrids S S S Y Y Y S S S S S S S S Y Y Y Y Y Y Y Y

  32. How It Was Done Classically Active node: value used to answer query Only need to fill active nodes Adversary only queries polynomial number of points

  33. Quantum Simulation? Adversary can query on all exponentially-many inputs

  34. Quantum Simulation? All nodes are active! Adversary can query on all exponentially-many inputs Cannot simulate exactly with polynomial samples!

  35. A Distribution to Simulate Any distribution D on values induces a distribution on functions For all x ∈ X : y x  D H(x) = y x D D D D D D D D D D D D D D D D H : D x

  36. Simulating Hybrids Goal: simulate D X using poly samples of D G X U X S S S S S S S S Y Y Y Y Y Y Y Y

  37. Attempt 1: Systematic D D D D y 1 y 2 y 3 y 4 H(x) = y x mod r y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 H is periodic  period learnable by quantum algorithms

  38. Attempt 2: Random D D D D y 1 y 2 y 3 y 4 R  Funcs([r],X) H(x) = y R(x) y 4 y 3 y 1 y 3 y 2 y 4 y 4 y 4 y 1 y 2 y 2 y 2 y 2 y 3 y 3 y 2 X (D) Called small range distributions, SR r

  39. Small Range Distributions Theorem : SR r X (D) is indistinguishable from D X by any q - query quantum algorithm, except with probability O(q 3 /r) Notes: • Highly non-trivial • Distinguishing prob not negligible, but good enough • We get to choose r • Random function R not efficiently constructible • [Zha’12a] Can simulate R using k -wise independence

  40. Quantum GGM Proof S S S S S S S S Y Y Y Y Y Y Y Y PRF distinguisher will distinguish two adjacent hybrids ≈ ≈ (SR distributions) (SR distributions) S S S S Y Y Y Y

  41. Quantum Security Proof? Follow classical steps: ✓ Step 1: Hybridize over levels of tree Step 2: Simulate hybrids approximately using ✓ PRG/Random samples ✓ Step 3: Hybrid over samples

  42. Quantum GGM Proof S S S S S S S S Y Y Y Y Y Y Y Y PRF distinguisher will distinguish two adjacent hybrids ≈ ≈ (SR distributions) (SR distributions) S S S S Y Y Y Y ≈ (PRG security)

  43. Message Authentication Codes (MACs)

  44. Message Authentication Codes (MACs) Recall classical def: K  {0,1} λ m 1 m i m 2 S k > σ i … m,σ Requirements: V( k,m,σ ) accepts, m ≠ m i for any i

  45. Quantum Security? K  {0,1} λ m ? 1 m i m 2 S k > σ i … m,σ Cannot copy quantum info! Requirements: • Must define success without V( k,m,σ ) accepts, reference to queries m ≠ m i for any i

  46. Quantum Security K  {0,1} λ q queries m i S k > σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Adversary must produce q+1 (distinct) forgeries after making q queries

  47. PRF as a MAC Try classical construction: σ x x S S F F k k > > = σ =F(x) accept/reject

  48. Security of PRF as a MAC K  {0,1} λ q queries m i F k > σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Adversary must produce q+1 (distinct) input/output pairs of F after making q queries

  49. Security of PRF as a MAC Replace F with a random function F  Funcs(M,T) q queries m i F σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Oracle Interrogation: Adversary must produce q+1 (distinct) input/output pairs of random function after making q queries

  50. Quantum Oracle Interrogation Classically: hard Adv[ q+1 points]: 1/|T| ( 1/2 n for n -bit tags) Quantum: not so fast [vD’98]: random function F: X  {0,1} q quantum queries ⇒ 1.9q points w.h.p. Also true for small range size: random function F: X  {0,1} 2 ex: q quantum queries ⇒ 1.3q points w.h.p. Question: What about large range size?

  51. Quantum Oracle Interrogation Our result: Theorem: Random function F: X  T Adv[ q queries ⇒ q+1 points] ≤ (q+1)/|T| (only lose factor of q+1 relative to classical case) Highly nontrivial • Invented new quantum impossibility tool: The Rank Method Takeaway: Quantum Oracle Interrogation easier, but still hard

  52. Back to MAC Security Classical CMA: secure PRF ⇒ secure MAC (Adv: 1/|T| ) Quantum CMA: quantum-secure PRF ⇒ quantum-secure MAC (Adv: (q+1)/|T| ) Both cases: MAC size super-logarithmic ⇒ MAC is secure

  53. Signatures

  54. Signatures Naturally extend MAC definition pk (sk,pk)  G() q queries m i S sk > σ i (m 0 *,σ 0 *),..., (m q *, σ q *)

  55. Proof Difficulties Aborts are problematic • Can’t both abort and continue Adversary can tell if signatures are invalid • Need to sign all messages correctly Previous quantum proof techniques leave query intact • Known limitations in quantum setting: • MPC [ DFNS’11 ] • Fiat-Shamir in QROM [ DFG’13 ] • Cannot prove security for unique signatures (Ex: Lamport)

  56. Building Quantum-Secure Signatures First attempt: do classical constructions work? Examples: • From lattices [ CHKP ’10, ABB’ 10 ] • Using random oracles [ BR ’93, GPV’08 ] • From generic assumptions [ Rom ’ 90 ] Short answer: sometimes yes, with small modifications

Recommend

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

CS 598 - COMPUTER SECURITY IN THE PHYSICAL WORLD Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan What are cryptosystems? - A suite of cryptographic algorithms (generation, encryption and

834 views • 16 slides
T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2 1 2.1 Classical Cryptosystems Ceasar Cipher, or Shift Cipher

555 views • 21 slides
The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit at Weimar,

715 views • 48 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

ECRYPT: Achievements and Perspectives Antwerp / May 27, 2008 PROVILAB Focus 2 Secure Multiparty Computation Based on Threshold Homomorphic Cryptosystems Berry Schoenmakers Coding & Crypto group Dept. Math & CS TU Eindhoven Outline

583 views • 13 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides
Security Notions 1

Security Notions 1

Security Notions 1 Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given

1.1k views • 37 slides
Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of

2.51k views • 157 slides
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, 2016 1 / 39 Outline Regular

1.15k views • 90 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data,

Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data,

Michael Veale University College London // the Alan Turing Institute Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data, Broadcast Data is a third way possible? @mikarv References: Secure

256 views • 23 slides
Classical Cryptosystems Debdeep Mukhopadhyay Assistant Professor Department of Computer Science

Classical Cryptosystems Debdeep Mukhopadhyay Assistant Professor Department of Computer Science

Classical Cryptosystems Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Definitions Kerckhoffs Principle Monoalphabetic

867 views • 23 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides

More recommend