Quantum-secure symmetric-key cryptography based on Hidden Shifts - PowerPoint PPT Presentation

Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic Alexander Russell QMATH, Department of Mathematical Sciences Department of Computer Science & Engineering University of Copenhagen University of Connecticut arXiv:1610.01187

quantum computation + cryptography Typical post-quantum crypto: quantum classical adversary cryptosystem Classical crypto in quantum world: quantum classical adversary cryptosystem Fully-quantum crypto: quantum adversary cryptosystem

quantum access? Classical functions on a quantum computer Let 𝑔: 0,1 𝑜 → 0,1 𝑛 be some function. Quantum generalizes classical, so we can implement 𝑔 on our quantum computer. How? 𝑦, 𝑧 ↦ (𝑦, 𝑧 ⊕ 𝑔 𝑦 ) 1. [turn into reversible function] 𝑦 𝑧 ↦ 𝑦 |𝑧 ⊕ 𝑔 𝑦 ⟩ 2. [run circuit on your quantum computer] But wait… now we can plug in non-classical inputs: ෍ 𝛽 𝑦𝑧 𝑦 𝑧 ↦ ෍ 𝛽 𝑦𝑧 𝑦 |𝑧 ⊕ 𝑔 𝑦 ⟩ 𝑦,𝑧 𝑦,𝑧 (𝑦, 𝑔 𝑦 ) for random 𝑦 E.g., can prepare uniform superposition of values: ෍ 𝑦 |𝑔 𝑦 ⟩ 𝑦 ??

quantum access? Recall CPA: Some protocol involving an encryption scheme 𝑭𝒐𝒅, 𝑬𝒇𝒅 … 𝑭𝒐𝒅 𝑙 𝐵 𝑭𝒐𝒅 𝑙 • implements the map: 𝑦 ↦ 𝑭𝒐𝒅 𝑙 𝑦 ; classically: • what happens if 𝐵 can run this map quantumly? • then 𝐵 gets quantum oracle : 𝑦 𝑧 ↦ 𝑦 |𝑧 ⊕ 𝑭𝒐𝒅 𝑙 𝑦 ⟩ • … and can run it on non -classical inputs! ෍ 𝑦 |𝑭𝒐𝒅 𝑙 𝑦 ⟩ ?? 𝑦

quantum access: is it realistic? In some settings, “quantum oracles” make perfect sense: • public-key encryption : 𝑞𝑙 ↦ encrypt circuit • hash functions : algorithm reversible circuit • exposing code : obfuscated circuit In other settings, this might depend on the model, or the physics: • private- key encryption (can device act coherently? “frozen smart card” [GHS16] ) • authentication and signatures (can user be fooled into signing superposition?) In any case: the model is of theoretical interest!

is *anything* secure in this model? Yes: pseudorandomness still exists! [GGM84] construction yields PRF s {𝑔 𝑙 } which are “quantum oracle” – secure [Zha12] . Authentication [BZ13] : • Uniformly random key 𝑙 for 𝑔 𝑙 ; • 𝐍𝐁𝐃 𝑙 𝑛 = 𝑔 𝑙 𝑛 . Encryption [BZ13] : • Uniformly random 𝑙 for 𝑔 𝑙 ; • 𝐅𝐨𝐝 𝑙 𝑛 = 𝑠, 𝑔 𝑙 𝑠 ⊕ 𝑛 . Maybe everything is ok, even in this model?

quantum oracle attacks: an example “Simplest block cipher” [EM97, DKS11]: 1. Fix public, random permutation 𝑄: 0,1 𝑜 → 0,1 𝑜 ; 2. Uniformly random key: 𝑙 ∈ 𝑆 0,1 𝑜 ; 3. Encrypt: 𝐹 𝑙 𝑦 = 𝑄 𝑦 ⊕ 𝑙 ⊕ 𝑙 . 𝑙 𝑙 𝑦 𝑄 𝐹 𝑙 (𝑦) Security: 𝐹 𝑙 is strongly pseudorandom (even if adversary has 𝑄 , 𝑄 −1 , 𝐹 𝑙 , 𝐹 𝑙 −1 .) • • ⇒ can’t decrypt; • ⇒ can’t forge input/output pairs, etc.

quantum oracle attacks: an example “Simplest block cipher” [EM97, DKS11]: 𝑙 𝑙 𝐹 𝑙 𝑦 = 𝑄 𝑦 ⊕ 𝑙 ⊕ 𝑙 . 𝑦 𝑄 𝐹 𝑙 (𝑦) Quantum attack [KM12]: simple predecessor to Shor 1. Form oracle 𝑔 𝑦 = 𝑄 𝑦 ⊕ 𝐹 𝑙 𝑦 ; Given: • oracle access to 𝑔 ; 2. Apply Simon’s algorithm on 𝑔 and output result. • Promise ∃𝒍 s.t. 𝑔 𝑦 = 𝑔(𝑧) iff 𝑧 = 𝑦 ⊕ 𝒍; Output: Why does it work? 𝑔 𝑦 = 𝑄 𝑦 ⊕ 𝑄 𝑦 ⊕ 𝑙 ⊕ 𝑙 = 𝑔(𝑦 ⊕ 𝑙) • 𝒍 This is Simon’s promise ⇒ attack will output 𝑙 ! Devastating: complete key recovery with only 𝒫(𝑜) queries, space and time! Simple variants also break: 3-round Feistel [KM10] , Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … [KLLN16, SS16] .

what is really at the core: hidden shift The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … • if viewed in a certain way, all the attacks… • first build a pair of shifted functions: 𝑔 𝑦 = 𝑕(𝑦 ⊕ 𝑙) … • … and then apply Simon’s algorithm to 𝑔 𝑦 ⊕ 𝑕(𝑦) . well-known to quantum algorithms community! Hidden Shift Problem (HS). Fix a finite group 𝐻 . Given oracles for injective 𝑔, 𝑕: 𝐻 → 𝑇 and a promise that ∃ 𝑡 ∈ 𝐻 such that 𝑔 𝑦 = 𝑕(𝑦 ⋅ 𝑡) for all 𝑦 ∈ 𝐻 , output 𝑡 . 𝒈 𝒉

hidden shift problem Classically: requires exponentially-many queries [ in 𝑜 = log( 𝐻 ) ] . 𝑜 (Simon). Quantumly: efficiently solvable for 𝐻 = ℤ 2 For most other groups, appears to be hard. Hidden Shift Problem (HS). Fix a finite group 𝐻 . Given oracles for injective 𝑔, 𝑕: 𝐻 → 𝑇 Cyclic groups: (e.g., ℤ 2 𝑜 ) and a promise that ∃ 𝑡 ∈ 𝐻 such that 𝑔 𝑦 = 𝑕(𝑦 ⋅ 𝑡) for all 𝑦 ∈ 𝐻 , output 𝑡 . 𝑜 time [Kup03] . best quantum algorithm takes 2 𝒫 • • only idea we have (“ coset sampling”) : if it works, then UniqueSVP ∈ BQP [Reg02] . Symmetric groups: (i.e., 𝑇 𝑜 ) • no subexp algorithms known; • coset sampling unlikely to give even subexp algorithms [MR05, MRS07] .

hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix: • select an exponentially-large group (family) 𝐻 (e.g., cyclic ℤ 2 n , dihedral 𝐸 𝑛 , symmetric 𝑇 𝑜 , Lie-type 𝑇𝑀 2 (𝔾 𝑟 ) , … ) • replace input/output spaces with 𝐻 (or a power of 𝐻 ). • replace bitwise XOR operation with group operation on 𝐻 . Sanity check [AH17]: • this does not affect classical security… • … or classical -access security against quantum adversaries.

hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix: • select an exponentially-large group (family) 𝐻 (e.g., cyclic ℤ 2 n , dihedral 𝐸 𝑛 , symmetric 𝑇 𝑜 , Lie-type 𝑇𝑀 2 (𝔾 𝑟 ) , … • replace input/output spaces with 𝐻 (or a power of 𝐻 ). • replace bitwise XOR operation with group operation on 𝐻 . Example 1: Even-Mansour. 1. Fix public, random permutation 𝑄: 𝐻 → 𝐻 ; 2. Select key: 𝑙 ∈ 𝑆 𝐻 ; 3. Encrypt: 𝐹 𝑙 𝑦 = 𝑄 𝑦 ⋅ 𝑙 ⋅ 𝑙 . 𝑙 𝑙 ⋅ ⋅ 𝑦 𝑄 𝐹 𝑙 (𝑦) ⋅ : 𝐻 × 𝐻 → 𝐻

hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix: • select an exponentially-large group (family) 𝐻 (e.g., cyclic ℤ 2 n , dihedral 𝐸 𝑛 , symmetric 𝑇 𝑜 , Lie-type 𝑇𝑀 2 (𝔾 𝑟 ) , … • replace input/output spaces with 𝐻 (or a power of 𝐻 ). • replace bitwise XOR operation with group operation on 𝐻 . Example 2: Feistel network. 1. Choose pseudorandom function 𝑆: 0,1 𝑜 × 𝐻 → 𝐻 ; + ⋅ R 1 2. Choose keys 𝑙 𝑘 ∈ 𝑆 0,1 𝑜 , set 𝑆 𝑘 ≔ 𝑆 𝑙 𝑘 ; 3. Build pseudorandom permutation on 𝐻 × 𝐻 : + ⋅ R 2 + ⋅ R 3 ⋅ : 𝐻 × 𝐻 → 𝐻

hidden shift crypto The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix: • select an exponentially-large group (family) 𝐻 (e.g., cyclic ℤ 2 n , dihedral 𝐸 𝑛 , symmetric 𝑇 𝑜 , Lie-type 𝑇𝑀 2 (𝔾 𝑟 ) , … • replace input/output spaces with 𝐻 (or a power of 𝐻 ). • replace bitwise XOR operation with group operation on 𝐻 . Example 3: Encrypted-CBC-MAC. 1. Fix keyed, pseudorandom permutation 𝐹: 0,1 𝑜 × 𝐻 → 𝐻 ; 2. Select key pair: 𝑙, 𝑙 1 ∈ 𝑆 0,1 𝑜 ; 3. Decompose message 𝑛 ∈ 𝐻 𝑚 into blocks 𝑛 𝑘 ∈ 𝐻 . … + ⋅ + ⋅ ⋅ 1 E k E k E k E k ’ ⋅ : 𝐻 × 𝐻 → 𝐻

main results Is this “generic fix” a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. Theorem 1. The Hidden Shift Problem is random self-reducible.

main results Is this “generic fix” a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. • randomized version “ RHS ” where 𝑔 is random and 𝑕 is a shift; • QPT = quantum polynomial-time algorithm. Theorem 1. RHS is random self-reducible. That is, if there exists a QPT which solves RHS for a 1/poly-fraction of inputs, then there exists a QPT which solves RHS and HS for all but a negligible fraction of inputs. Proof idea: Use the “1/poly - fraction” QPT to explore the entire space of instances, by: 1. randomizing shifts by pre-composing 𝑔 (but not 𝑕 ) with a random shift; 2. randomize outputs by post-composing both 𝑔 and 𝑕 with a qPRF ; 3. repeat with fresh randomness, and a fresh qPRF key poly-many times; 4. test any outputs of the QPT by random sampling and checking.

main results Is this “generic fix” a good idea? 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive. Theorem 2. The decision and search version of HS are equivalent.