post quantum security of symmetric key schemes
play

(post-)quantum security of symmetric key schemes NTT Secure - PowerPoint PPT Presentation

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric


  1. Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13)

  2. Introduction

  3. Quantum Attacks against Symmetric Cryptosystems? It has been said that symmetric key schemes would not to be much affected by quantum computers

  4. Known Quantum Attacks :~2010 Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) “2n - bit key suffices”

  5. Known Quantum Attacks : Today Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) Key Recovery on Polynomial time 𝑃(2 𝑜/2 ) Even-Mansour Forgery against Polynomial time 𝑃(2 𝑜/2 ) CBC-MAC Remark : The last two attacks assumes that quantum keyed oracles are available

  6. Quantum Attacks against Symmetric Cryptosystems? It has been said that symmetric key schemes would not to be much affected by quantum computers Symmetric key schemes may be significantly affected !! ・ Attacks by Kuwakado and Morii at ISIT2010, ISITA2012 ・ Attacks by Kaplan et al. at CRYPTO2016

  7. Quantum Attacks against Symmetric Cryptosystems? It has been said that symmetric key schemes would not to be much affected by quantum computers Symmetric key schemes may be significantly affected !! ・ Attacks by Kuwakado and Morii at ISIT2010, ISITA2012 ・ Attacks by Kaplan et al. at CRYPTO2016 Post-quantum security of symmetric schemes should be analyzed more carefully

  8. Attack Models Chosen Plaintext Attack Enc. Oracle Message Ciphertext Computer Adversary

  9. Attack Models Chosen Plaintext Attack Chosen Plaintext Attack Q1 model, classical query Enc. Enc. Oracle Oracle Message Ciphertext Message Ciphertext Quantum Computer Computer Adversary Adversary

  10. Attack Models Chosen Plaintext Attack Chosen Plaintext Attack Q2 model, quantum query Enc. Quantum Enc. Oracle Oracle Quantum Quantum Message Ciphertext Superposed Superposed Ciphertext Message Quantum Computer Computer Adversary Adversary

  11. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on white-box implementations A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  12. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  13. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  14. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  15. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  16. Quantum Query Attacks

  17. Known Quantum Attacks : Today Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) Key Recovery on Polynomial time 𝑃(2 𝑜/2 ) Even-Mansour Forgery against Polynomial time 𝑃(2 𝑜/2 ) CBC-MAC Remark : The last two attacks assumes that quantum keyed oracles are available

  18. Known Quantum Attacks : Today Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Simon’s algorithm Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) Key Recovery on Polynomial time 𝑃(2 𝑜/2 ) Even-Mansour Forgery against Polynomial time 𝑃(2 𝑜/2 ) CBC-MAC Remark : The last two attacks assumes that quantum keyed oracles are available

  19. Simon’s period finding algorithm Problem Suppose 𝑔: {0,1} 𝑜 → 𝑇 and s ∈ {0,1} 𝑜 satisfy ∀𝑦 ∈ 0,1 𝑜 𝑔 𝑦 ⊕ 𝑡 = 𝑔(𝑦) Given an oracle access to 𝑔 , find 𝑡 . Classical algorithms: Exponential time Simon’s quantum algorithm: Polynomial time [Sim97] [Sim97] Daniel R Simon. On the power of quantum computation. SIAM journal on computing , 26(5):1474 – 1483, 1997.

  20. Simon’s period finding algorithm Problem Suppose 𝑔: {0,1} 𝑜 → 𝑇 and s ∈ {0,1} 𝑜 satisfy ∀𝑦 ∈ 0,1 𝑜 𝑔 𝑦 ⊕ 𝑡 = 𝑔(𝑦) Given an oracle access to 𝑔 , find 𝑡 . To mount poly-time attacks, it is important to reduce Classical algorithms: Exponential time the target problem to Simon’s problem Simon’s quantum algorithm: Polynomial time [Sim97] [Sim97] Daniel R Simon. On the power of quantum computation. SIAM journal on computing , 26(5):1474 – 1483, 1997.

  21. Key-Recovery Attack on Even-Mansour 𝑙 1 𝑙 2 Even-Mansour cipher 𝐹 𝑙 1 ,𝑙 2 𝑄 (P:public permutation) Quantum CPA against Even-Mansour ciphers 𝑔 𝑦 = 𝐹 𝑙 1 ,𝑙 2 𝑦 ⊕ 𝑄(𝑦) satisfies 𝑔 𝑦 ⊕ 𝑙 1 = 𝑔(𝑦) • We can recover 𝑙 1 in polynomial time with Simon’s algorithm • 𝑙 2 can easily be recovered since we have 𝐹 𝑙 1 ,𝑙 2 𝑦 ⊕ 𝑄 𝑦 ⊕ 𝑙 1 = 𝑙 2 [KM12] H. Kukakado and M. Morii: Security on the quantum-type Even-Mansour cipher. ISITA 2010.

  22. Various MACs/AEs are broken in poly- time… If quantum queries are allowed, Simon’s algorithm breaks – CBC-MAC – PMAC 𝛽 𝑐 𝑦 – GMAC – GCM 𝐹 𝑙 1 𝐹 𝑙 1 – OCB … 𝐹 𝑙 2 In polynomial time ! 𝑔 𝑐 𝑦 M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-Plasencia: Breaking symmetric cryptosystems using quantum period finding (CRYPTO 2016)

  23. Luby-Rackoff (Feistel) Construction Security in the classical setting PRP? (secure SPRP? (secure against CPA?) against CCA?) × × 2-round 〇 × 3-round 〇 〇 4-round 〇 〇 5-round M. Luby, C. Rackoff: How to construct pseudo-random permutations from pseudorandom functions (CRYPTO '85)

  24. Luby-Rackoff (Feistel) Construction Security in the quantum setting PRP? (secure SPRP? (secure against CPA?) against CCA?) × × 2-round × [KM10] × 3-round 〇 [HI19] × [IHMSI19] 4-round 〇 [HI19] 5-round ? [KM10] M. Luby, C. Rackoff: Quantum distinguisher between the 3-round Feistel cipher and the random permutation (ISIT 2010) [IHMSI19] G. Ito, A. Hosoyamada, R. Matsumoto, Y. Sasaki, T. Iwata: quantum chosen-ciphertext attacks against Feistel ciphers? (CT-RSA 2019) [HI19] A. Hosoyamada, T. Iwata: 4-Round Luby-Rackoff construction is a qPRP. (Asiacrypt 2019)

  25. Other Quantum Query Attacks Speed-up for differential/linear cryptanalysis [KLLN16b] • Key recovery attacks on Feistel by using the quantum • distinguishers [HS18b,IHMSI19] The attack with Kuperberg’s algorithm [BN18] • The attack on the FX construction by Leander and May [LM17] • Speed-up for Demiric-Secluk meet-in-the-middle attack [HS18b, • BNS19] [BN18] X. Bonnetain, M. Naya-Plasencia: Hidden Shift Quantum Cryptanalysis and Implications, Asiacrypt 2018. [HS18b] A. Hosoyamada, Y. Sasaki: Quantum Demiric-Selçuk Meet-in-the-Middle Attacks: Applications to 6-Round Generic Feistel Constructions, SCN 2018. [IHMSI19] G. Ito, A. Hosoyamada, R. Matsumoto, Y. Sasaki, T. Iwata: Quantum Chosen-Ciphertext Attacks Against Feistel Ciphers. CT-RSA 2019. [KLLN16b] M. Kaplan, G. Leurent, A. Leverrier, M. Naya-Plasencia: Quantum Differential and Linear Cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), pp. 71-94. [LM17] G. Leander, A. May: Grover Meets Simon - Quantumly Attacking the FX-construction. Asiacrypt 2017. [BNS19] X. Bonnetain, M. Naya-Plasencia, A. Schrottenloher: Quantum Security Analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), pp. 55-93.

  26. Attacks with Classical Query + Quantum Computation

Recommend


More recommend