On the power of non-adaptive quantum chosen-ciphertext attacks - PowerPoint PPT Presentation

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute of Technology QCrypt 2018

Cryptography + Quantum Computation 1

Cryptography + Quantum Computation 1

Cryptography + Quantum Computation 1

Security in a quantum world

Security in a quantum world What makes a classical scheme Π = (KeyGen , Enc , Dec) ”quantum-secure”? • ciphertexts reveal no information about plaintexts (should look ”indistinguishable”) • assumption that adversaries are quantum, i.e. run in quantum polynomial-time (QPT). Definition: (Indistinguishability - IND) Π has indistinguishable ciphertexts if ∀ QPT A : Pr[ A wins IndGame] = 1 / 2 + negl( n ) 2

Non-adaptive quantum chosen-ciphertext attacks (AJOP’18) What if A gets lunch-time access to encryption & decryption?( = ⇒ chosen-ciphertext attack) Definition: (Non-adaptive quantum chosen-ciphertext security) Π is IND-QCCA1 secure if ∀ QPT A : Pr[ A wins IndGame] = 1 / 2 + negl( n ) 3

Non-adaptive quantum chosen-ciphertext attacks (AJOP’18) What if A gets lunch-time access to encryption & decryption?( = ⇒ chosen-ciphertext attack) Definition: (Non-adaptive quantum chosen-ciphertext security) Π is IND-QCCA1 secure if ∀ QPT A : Pr[ A wins IndGame] = 1 / 2 + negl( n ) 3

A secure encryption scheme

Quantum random access codes (Ambainis et al.’08) 4

Quantum random access codes (Ambainis et al.’08) Lemma: (AJOP’18) Average bias on message length N = 2 n and poly( n )-sized quantum state is O (2 − n / 2 poly( n )) . 4

A secure symmetric-key encryption scheme Theorem: (AJOP’18) The construction Π = (KeyGen , Enc , Dec) with QPRF { f k : { 0 , 1 } n �→ { 0 , 1 } n } is IND-QCCA1: • KeyGen: sample a key k − { 0 , 1 } n $ ← − { 0 , 1 } n • Enc k ( m ) = ( r , f k ( r ) ⊕ m ) , for r $ ← • Dec k ( r , c ) = c ⊕ f k ( r ) quantum-secure pseudorandom function (QPRF) 5

A secure symmetric-key encryption scheme Theorem: (AJOP’18) The construction Π = (KeyGen , Enc , Dec) with QPRF { f k : { 0 , 1 } n �→ { 0 , 1 } n } is IND-QCCA1: • KeyGen: sample a key k − { 0 , 1 } n $ ← − { 0 , 1 } n • Enc k ( m ) = ( r , f k ( r ) ⊕ m ) , for r $ ← • Dec k ( r , c ) = c ⊕ f k ( r ) quantum-secure pseudorandom function (QPRF) Proof idea. Fix a QPT adversary A . 1. Replace f k with a random function f (by the QPRF assumption) 2. QRAC reduction : Use A against IND-QCCA1 security to construct a code. By Lemma, the advantage is ǫ = O (2 − n / 2 poly( n )). 5

Learning with Errors

s ❛ ❛ s ❛ ❛ s s ❛ ❛ s ❛ ❛ s ❛ ❛ s Learning with Errors (Regev ’05) Learning with Errors ( LWE ) • primary basis of hardness for post-quantum cryptography • allows for PKE, FHE, QPRFs, . . . 6

s ❛ ❛ s ❛ ❛ s Learning with Errors (Regev ’05) Learning with Errors ( LWE ) • primary basis of hardness for post-quantum cryptography • allows for PKE, FHE, QPRFs, . . . Search problem: Recover a secret string s ∈ Z n q from a set of noisy linear equations modulo q . − Z n $ ← q ; c 1 = � ❛ 1 , s � + e 1 ❛ 1 − Z n $ q ; c 2 = � ❛ 2 , s � + e 2 ← ❛ 2 . . . − Z n $ q ; c m = � ❛ m , s � + e m , ← ❛ m 6

Learning with Errors (Regev ’05) Learning with Errors ( LWE ) Symmetric-key encryption using LWE − Z n • primary basis of hardness for • KeyGen: choose key s $ q . ← post-quantum cryptography • Enc s ( b ) = ( ❛ , � ❛ , s � + e + b ⌊ q / 2 ⌋ ) � q • allows for PKE, FHE, QPRFs, . . . � • Dec s ( ❛ , c ) = 0, if | c − � ❛ , s �| ≤ , else 1. 4 Search problem: Recover a secret string s ∈ Z n q from a set of noisy linear equations modulo q . − Z n $ ← q ; c 1 = � ❛ 1 , s � + e 1 ❛ 1 − Z n $ q ; c 2 = � ❛ 2 , s � + e 2 ← ❛ 2 . . . − Z n $ q ; c m = � ❛ m , s � + e m , ← ❛ m 6

Learning with Errors (Regev ’05) Learning with Errors ( LWE ) Symmetric-key encryption using LWE − Z n • primary basis of hardness for • KeyGen: choose key s $ q . ← post-quantum cryptography • Enc s ( b ) = ( ❛ , � ❛ , s � + e + b ⌊ q / 2 ⌋ ) � q • allows for PKE, FHE, QPRFs, . . . � • Dec s ( ❛ , c ) = 0, if | c − � ❛ , s �| ≤ , else 1. 4 Search problem: b = 0 b = 1 Recover a secret string s ∈ Z n q from a set of noisy linear equations modulo q . − Z n $ ← q ; c 1 = � ❛ 1 , s � + e 1 ❛ 1 − Z n $ q ; c 2 = � ❛ 2 , s � + e 2 ← ❛ 2 0 ⌊ q / 2 ⌋ . . . − Z n $ q ; c m = � ❛ m , s � + e m , ← ❛ m 6

Learning with Errors (Regev ’05) Learning with Errors ( LWE ) Symmetric-key encryption using LWE − Z n • primary basis of hardness for • KeyGen: choose key s $ q . ← post-quantum cryptography • Enc s ( b ) = ( ❛ , � ❛ , s � + e + b ⌊ q / 2 ⌋ ) � q • allows for PKE, FHE, QPRFs, . . . � • Dec s ( ❛ , c ) = 0, if | c − � ❛ , s �| ≤ , else 1. 4 Search problem: Recover a secret string s ∈ Z n q from a This talk: set of noisy linear equations modulo q . • new quantum attack on plain LWE encryption − Z n $ ← q ; c 1 = � ❛ 1 , s � + e 1 ❛ 1 • attack uses a single quantum decryption − Z n $ q ; c 2 = � ❛ 2 , s � + e 2 ← ❛ 2 • classical attack: Ω( n log q ) . . • quantum attack: O (1). . − Z n $ q ; c m = � ❛ m , s � + e m , ← ❛ m 6

Quantum attack

Bernstein-Vazirani for linear rounding (AJOP’18) Linear rounding function with key s ∈ Z n q , Oracle: U LRF s : | x �| b � �→ | ① �| b ⊕ LRF s ( ① ) � � if |� ① , s �| ≤ ⌊ q 0 4 ⌋ LRF s ( ① ) := 1 otherwise Algorithm: 1 1 1 | ① � ⊗ | 0 �−| 1 � 2 π i � � ( − 1) LRF s ( x ) | ① � � ( − 1) LRF s ( x ) e q � x , y � | ② � √ q n √ q n √ 2 q n x ∈ Z n x ∈ Z n y , x ∈ Z n q q q 7

Bernstein-Vazirani for linear rounding (AJOP’18) Linear rounding function with key s ∈ Z n q , Oracle: U LRF s : | x �| b � �→ | ① �| b ⊕ LRF s ( ① ) � � if |� ① , s �| ≤ ⌊ q 0 4 ⌋ Success probability: Pr[ ② = s ] ≈ 4 /π 2 . LRF s ( ① ) := 1 otherwise Algorithm: 1 1 1 | ① � ⊗ | 0 �−| 1 � 2 π i � � ( − 1) LRF s ( x ) | ① � � ( − 1) LRF s ( x ) e q � x , y � | ② � √ q n √ q n √ 2 q n x ∈ Z n x ∈ Z n y , x ∈ Z n q q q 7

Our results (AJOP’18) Non-adative quantum chosen-ciphertext attacks: IND-QCCA2 (BZ’13) 1. Formal security definition (IND-QCCA1) • ”half-way” between existing security notions 2. A secure symmetric-key encryption scheme: IND-QCCA1 → QPRF construction (AJOP’18) • uses quantum-secure pseudorandom functions • proof technique: quantum random access codes 3. Quantum attack on Learning with Errors encryption IND-QCPA • Bernstein-Vazirani algorithm for linear rounding (BJ’15) 8

Questions? 8