preparing symmetric crypto for the quantum world
play

Preparing Symmetric Crypto for the Quantum World Mar a - PowerPoint PPT Presentation

May 30, 2023 •156 likes •882 views

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

  1. Preparing Symmetric Crypto for the Quantum World Mar´ ıa Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019

  2. Preliminaries... No quantum knowledge needed for following this talk

  3. Outline Introduction ◮ Motivation, scenarios and evolution Useful quantum tools ◮ Presentation of some results ◮ Building new useful quantum tool: • collision and k-xor algorithms Some quantum attacks (Simon +) • Final conclusion and Open problems ◮

  4. Motivation

  5. Cryptanalysis: Foundation of Confidence Ideal security defined by generic attacks ( 2 | K | ). ◮ Does real security meet this ideal security? Need of continuous security evaluation. Any attack better than the generic one is considered a “break”. We are often left with an empirical measure ◮ of the security: cryptanalysis. 1/57

  6. Very Important Notion: Security Margin If no attack is found on a given cipher, what can we say about its robustness? The security of a cipher is not a 1-bit information: Round-reduced attacks. • Analysis of components. • ⇒ determine and adapt the security margin. 2/57

  7. Very Important Notion: Security Margin Best attacks determine the security margin ◮ ⇒ Possibly with high complexities: find the highest number of rounds reached. Allows to compare primitives. ◮ The estimates of security margin need to be ◮ precise and correct in order to be meaningful. 3/57

  8. Post-Quantum Cryptography Asymmetric (e.g. RSA): Shor’s algorithm: Factorization in polynomial time ⇒ current systems not secure! Solutions: lattice-based, code-based cryptography... Symmetric (e.g. AES): Grover’s algorithm: Exhaustive search 2 | K | → 2 | K | / 2 Double key length for equivalent ideal security. Much to learn about cryptanalysis when having quantum computing available. 4/57

  9. Post-Quantum Cryptography Problem for present existing long-term secrets. ⇒ start using quantum-safe primitives NOW. Important tasks: Conceive the cryptanalysis algorithms for ◮ evaluating the security of symmetric primitives in the P-Q world. Use them to evaluate and design symmetric ◮ primitives for the P-Q world. 5/57

  10. On Quantum Attacks Compare to best generic attack, ◮ generic attack is accelerated, so ◮ broken classical primitive might be unbroken ◮ in a quantum setting: e.g. a primitive might not have 256-bits security against a classical adversary but might have 128- bit security against a quantum one. 6/57

  11. Scenarios and Models

  12. Considered Scenarios Model Q 0 ◮ classical attacks with classical computers. Model Q 1 ◮ Q 0 + access to a quantum computer. Model Q 2 ◮ Q 1 + superposition queries to a quantum cryptographic oracle (QCO). Model Q 3 ◮ Q 1 + superposition queries with the differences of a secret key in a QCO. 7/57

  13. Model Q 0 Nothing new here. 8/57

  14. Model Q 1 So far, the best we have obtained is a ◮ quadratic speed-up, but it can be smaller: If a primitive is safe in Q 0 , • it will also be in Q 1 . Does this mean that (so far) the Q 1 ◮ scenario/results are not interesting? No! safe = no attack better than generic attack 9/57

  15. Model Q 1 In a post-quantum future: Classical or quantum surnames will disappear: ◮ Expected security given by their best generic attack ( e.g. Grover). And security margin? → determined by the highest number of rounds cryptanalyzed with any attack more performant than generic. Q 1 results: important information needed for ◮ determining the unique and future security margin. 10/57

  16. Model Q 2 Very powerful, BUT... Many good reasons to study security in this scenario: Simple: used in security proofs. ◮ Non-trivial: Many constructions still seem ◮ resistant. Inclusive of all intermediate scenarios: ◮ protocols, obfuscation, hybrid machines, incompetent users... 11/57

  17. Model Q 2 Defined and used in many results: [Zhandry12], [Boneh-Zhandry13], [Damg˚ ard- Funder-Nielsen-Salvail13], [Mossayebi-Schack16], [Song-Yun17], Simon’s attacks, FX, AEZ... An attack in this model ⇒ we need to be extra careful when implementing the primitive in a quantum computer. 12/57

  18. Model Q 3 Super strong model: Everything is broken [Roetteler-Steinwandt 15] Too strong model! 13/57

  19. Another scenario classification Scenario A) With big quantum memory or Scenario B) quantum memory limited to poly ( n ) The first one: interesting from a theoretical point of view and for considering trade-offs, The second one: more ”realistic” scenario. 14/57

  20. Evolution

  21. First Results Quantum Symmetric Cryptanalysis: ◮ Quantum analysis of CubeHash [Leurent 10] ◮ Simon on 3-round Feistel [Kuwakado Morii 10] ◮ Simon on Even-Mansour [Kuwakado Morii 12] ◮ Quantum MITM iterated ciphers [Kaplan14] ◮ Quantum Related-Key [Roetteler-Steinwandt15] 15/57

  22. Quantum Symmetric Cryptanalysis In 2015/2016: ◮ [Kaplan-Leurent-Leverrier-NP16] Simon on modes/slide attacks. [Kaplan-Leurent-Leverrier-NP16b] Diff/linear. Many new results since: FX [Leander-May17], parallel multi- preim. [Banegas-Bernstein17], Multicollision [Hosoyamada-Sasaki- Xagawa17], Mitm Q1 [Hosoyamada Sasaki 18], DS Mitm Feistel [Hosoyamada Sasaki 18], Miss-in-the-middle [Xie, Yang 18], Feistel key-recovery [Dong, Wang 18], CCA on Feistel [Ito et al 19]... 16/57

  23. Recent activity from QUASYModo ◮ Efficient Collisions [Chailloux NP Schrottenloher Asiacrypt17], ◮ Quantum cryptanalysis of AEZ [Bonnetain SAC17] ◮ On modular additions [Bonnetain NP Asiacrypt 2018] ◮ k-xor problem [Grassi NP Schrottenloher Asiacrypt2018] ◮ AES quantum evaluation [Bonnetain NP Schrottenloher 18] ◮ On quantum slide attacks [Bonnetain NP Schrottenloher 18] ◮ Quantum security analysis of CSIDH[Bonnetain Schrottenloher18] ◮ Optimal merging the k-xor problem [NP Schrottenloher 19] ◮ Improved low-qubit hidden shift algorithms [Bonnetain 19] 17/57

  24. Some Useful Quantum Tools

  25. Some Quantum Tools... ...that have been useful so far. Amplitude Amplification (AA) /Grover ◮ Quantum Counting ◮ Quantum Collisions ◮ Simon ◮ Kuperberg ◮ 18/57

  26. Amplitude Amplification (Grover’s generalization) Exhaustive search : Given f : { 0 , 1 } n → { 0 , 1 } , find one element x ∈ { 0 , 1 } n such that f ( x ) = 1 . 2 n Classical complexity: Ω( | supp ( f ) | ) . ◮ Quantum complexity [Brassard-Hoyer 97]: ◮ � 2 n Ω( | supp ( f ) | ) . �� � 2 n In detail, we will see later: O | supp ( f ) | ( s T + f T ) . 19/57

  27. Quantum Counting Algorithm Distinguish a biased distribution : Given a Bernouilli distribution, determine with high probability whether it has a parameter 1 / 2 or 1 / 2 + ε . � 1 � Classical complexity: O . ◮ ε 2 Quantum complexity: ◮ � 1 � [Brassard-Hoyer-Tapp 98] O . ε 20/57

  28. Quantum Collision Algorithms Collision problem : Given a random function H : { 0 , 1 } n → { 0 , 1 } n , find x, y ∈ { 0 , 1 } n with x � = y such that H ( x ) = H ( y ) . Classical complexity: Ω(2 n/ 2 ) . ◮ Quantum complexity: ◮ � 2 n/ 3 � [Brassard-Hoyer-Tapp 97] O in queries, in time and in quantum memory → scenario A. (Scenario B later) 21/57

  29. Simon’s algorithm Simon’s problem : Given f : { 0 , 1 } n →{ 0 , 1 } n such that ∃ s | f ( x ) = f ( y ) ⇐ ⇒ [ x = y or x ⊕ y = s ] , find s . Classical complexity: Ω(2 n/ 2 ) . ◮ Quantum complexity [Simon 94]: � O ( n ) . ◮ 22/57

  30. Kuperberg’s algorithm Hidden Shift Problem with modular addition : Let f , g be two injective functions, ( G , +) a group. Given the promise that there exists s ∈ G such that, for all x , f ( x ) = g ( x + s ) , retrieve s . Classical complexity: Ω(2 n/ 2 ) . ◮ Quantum complexity: ◮ O ( √ n ) . [Kuperberg 05] 2 � 23/57

  31. Some new Results New useful Quantum Tools

  32. Some New Useful Quantum Tools New Quantum Collision Algorithm ◮ Quantum K-xor Algorithms ◮ Multicollisions ◮ Grover-meets-Simon ◮ Simon-meets-Kuperberg ◮ Framework for quantizing classical attacks ◮ Quantumly efficient DDT equivalent ◮ Miss-in-the-middle search ◮ 24/57

  33. Collision Search with A. Chailloux, A. Schrottenloher

  34. Collision Search Problem H : { 0 , 1 } n Given a random function → { 0 , 1 } n , find x, y ∈ { 0 , 1 } n with x � = y such that H ( x ) = H ( y ) . Many applications: e.g. generic attacks on hash functions. (Multi-target preimage search can be seen as a particular case). 25/57

  35. Best known algorithms Time Queries Qubits Classical Memory 2 n/ 2 2 n/ 2 Pollard 0 O ( n ) 2 n/ 2 2 n/ 2 Grover O ( n ) 0 2 2 n/ 3 * 2 n/ 3 2 n/ 3 BHT O ( n ) * 2 n/ 3 2 n/ 3 2 n/ 3 Ambainis 0 26/57

  36. Considered Model The same one as in the previous collision ◮ quantum algorithms BUT we limit the amout of quantum memory available to a small amount O ( n ) : scenario B instead of A. Available small quantum computers seem ◮ like the most plausible scenario. We are interested in the theoretical algorithm ◮ and we did not take into account yet implementation aspects. 27/57

  37. Starting Point: BHT Algorithm Optimal number of queries, ◮ O ( n ) qubits (scenario B), ◮ But time? ◮ 28/57

Recommend

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017 Introduction Quantum Basics Grover Grover

1.45k views • 97 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands June 5, 2014 Summer School on the design and security of cryptographic algorithms and devices for real-world applications Embedded CPUs 4-bit

929 views • 70 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How Alice Outwits Eve How Alice Outwits Eve Cani Cani Samuel J. Lomonaco, Jr. Samuel J. Lomonaco, Jr. Dept. of Comp. Sci Dept. of Comp. Sci. &

445 views • 16 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

1 / 2 9 Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o r g > Post-Quantum Crypto Bernd Fix < b r f @ h o i - p o l l o i . o r g > 2 / 2 9 Intro P r

340 views • 29 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . . . Crypto (CIS 675)

Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . . . Crypto (CIS 675)

Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . . . Crypto (CIS 675) Quantum Computing April 24, 2019 1 / 1 References A Physics-Free Introduction to the Quantum Computation Model by Stephen A. Fenner.

537 views • 28 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren

Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren

The UKs European university Real World Crypto 2018 Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren Hurley-Smith & Julio Hernandez-Castro Index Introduction Related works Aims Experimental

563 views • 11 slides
Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica

Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica

Scattering in PT-symmetric Quantum Mechanics Francesco Cannata Dipartimento di Fisica dellUniversita di Bologna e Istituto Nazionale di Fisica Nucleare, Sezione di Bologna Scattering in PT-symmetric Quantum Mechanics 2 Summary

1.05k views • 77 slides
DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

338 views • 31 slides

More recommend