random oracles in a quantum world
play

Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc - PowerPoint PPT Presentation

Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of


  1. Introduction Positive Results Conclusion Random Oracles in a Quantum World ¨ Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg¨ Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich, Switzerland 4 University of Amsterdam and CWI, The Netherlands December 5, 2011 Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  2. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Classical Random Oracle Model Adversaries Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  3. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Quantum Random Oracle Model Adversaries Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  4. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Quantum Random Oracle Model (QROM) Why quantum queries? Random oracle models hash function, which a quantum adversary can evaluate on superposition. Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  5. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Quantum Random Oracle Model (QROM) Why quantum queries? Random oracle models hash function, which a quantum adversary can evaluate on superposition. Because quantum adversaries can query on a superposition, classical proofs of security do not carry over to the quantum setting. Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  6. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Quantum Random Oracle Model (QROM) Why quantum queries? Random oracle models hash function, which a quantum adversary can evaluate on superposition. Because quantum adversaries can query on a superposition, classical proofs of security do not carry over to the quantum setting. Examples: Simulating the random oracle Determining what points the adversary is interested in Programming the random oracle Rewinding Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  7. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Our Results Separation result: Scheme secure in classical ROM, but insecure in QROM Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  8. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Our Results Separation result: Scheme secure in classical ROM, but insecure in QROM Identification scheme Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  9. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Our Results Separation result: Scheme secure in classical ROM, but insecure in QROM Identification scheme Positive result: Signature Schemes Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  10. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Our Results Separation result: Scheme secure in classical ROM, but insecure in QROM Identification scheme Positive result: Signature Schemes Some classical security proofs carry over (if quantum PRFs exist). Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  11. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Our Results Separation result: Scheme secure in classical ROM, but insecure in QROM Identification scheme Positive result: Signature Schemes Some classical security proofs carry over (if quantum PRFs exist). Example: Lattice-based signatures ([GPV08]) Example: Specific instances of Full Domain Hash Generic Full Domain Hash is still open. Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  12. Introduction Quantum Random Oracle Model Positive Results Our Results Conclusion Our Results Separation result: Scheme secure in classical ROM, but insecure in QROM Identification scheme Positive result: Signature Schemes Some classical security proofs carry over (if quantum PRFs exist). Example: Lattice-based signatures ([GPV08]) Example: Specific instances of Full Domain Hash Generic Full Domain Hash is still open. Positive result: Encryption Schemes Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  13. Introduction Signatures Positive Results Encryption Schemes Conclusion Preimage Sampleable Functions A preimage sampleable trapdoor function (PSF) F is a triple of functions ( G , f , f − 1 ): G (1 n ) outputs ( sk , pk ) f pk ( x ) is efficiently computable, uniformly distributed for random x . f − 1 sk ( y ) samples uniformly from the set of x such that f pk ( x ) = y Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  14. Introduction Signatures Positive Results Encryption Schemes Conclusion Preimage Sampleable Functions A preimage sampleable trapdoor function (PSF) F is a triple of functions ( G , f , f − 1 ): G (1 n ) outputs ( sk , pk ) f pk ( x ) is efficiently computable, uniformly distributed for random x . f − 1 sk ( y ) samples uniformly from the set of x such that f pk ( x ) = y F = ( G , f , f − 1 ) is secure if it is one-way, collision-resistant, and has high preimage min-entropy. Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  15. Introduction Signatures Positive Results Encryption Schemes Conclusion Preimage Sampleable Functions A preimage sampleable trapdoor function (PSF) F is a triple of functions ( G , f , f − 1 ): G (1 n ) outputs ( sk , pk ) f pk ( x ) is efficiently computable, uniformly distributed for random x . f − 1 sk ( y ) samples uniformly from the set of x such that f pk ( x ) = y F = ( G , f , f − 1 ) is secure if it is one-way, collision-resistant, and has high preimage min-entropy. Secure construction from lattices [GPV08] Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  16. Introduction Signatures Positive Results Encryption Schemes Conclusion Example: GPV Signatures Given a PSF F = ( G , f , f − 1 ), construct a signature scheme S O = ( G , S O , V O ) as follows: Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  17. Introduction Signatures Positive Results Encryption Schemes Conclusion Example: GPV Signatures Given a PSF F = ( G , f , f − 1 ), construct a signature scheme S O = ( G , S O , V O ) as follows: sk ( m ) = f − 1 S O sk ( O ( m )). Remember this output for future queries of m Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  18. Introduction Signatures Positive Results Encryption Schemes Conclusion Example: GPV Signatures Given a PSF F = ( G , f , f − 1 ), construct a signature scheme S O = ( G , S O , V O ) as follows: sk ( m ) = f − 1 S O sk ( O ( m )). Remember this output for future queries of m V O pk ( m , σ ) accepts if and only if f pk ( σ ) = O ( m ). Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  19. Introduction Signatures Positive Results Encryption Schemes Conclusion Example: GPV Signatures Given a PSF F = ( G , f , f − 1 ), construct a signature scheme S O = ( G , S O , V O ) as follows: sk ( m ) = f − 1 S O sk ( O ( m )). Remember this output for future queries of m V O pk ( m , σ ) accepts if and only if f pk ( σ ) = O ( m ). Theorem Suppose F is a quantum-secure PSF, and that quantum pseudorandom functions exist. Then S is quantum secure. Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  20. Introduction Signatures Positive Results Encryption Schemes Conclusion Security of GPV Signatures Two parts: Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  21. Introduction Signatures Positive Results Encryption Schemes Conclusion Security of GPV Signatures Two parts: Prove that security of a certain type of classical reduction (called history free ) implies security in the quantum setting Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  22. Introduction Signatures Positive Results Encryption Schemes Conclusion Security of GPV Signatures Two parts: Prove that security of a certain type of classical reduction (called history free ) implies security in the quantum setting Show that the reduction of [GPV08] is history free Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  23. Introduction Signatures Positive Results Encryption Schemes Conclusion (Classical) History-free Reduction Classical RO Techniques: Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

  24. Introduction Signatures Positive Results Encryption Schemes Conclusion (Classical) History-free Reduction Classical RO Techniques: Simulating the random oracle. Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry Random Oracles in a Quantum World

Recommend


More recommend