Fang Song IQC University of Waterloo QuantumFriendly Reductions 2 How do quantum attacks change classical cryptography Cryptosystems based on the hardness of factoring and discretelog are ID: 500801
Download Presentation The PPT/PDF document "Quantum Security for Post-Quantum Crypto..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Quantum Security for Post-Quantum Cryptography
Fang SongIQC, University of Waterloo
-- “Quantum-Friendly” ReductionsSlide2
2
How do
quantum
attacks change classical cryptography?
Crypto-systems based on the hardness of factoring and discrete-log are
brokenFactoring and discrete-log are easy on a quantum computer [Shor’97]Relax…, there are “hard” problems for quantum computers Lattices, code-based, multivariate equations, Super-singular elliptic curve isogenies…
Unfortunately, this is not the end of the story…Slide3
Reductions may fail against
quantum attackers (Even if
is “quantum-hard
”)
Many PQC only prove against classical attackers
3What do We Mean by “Secure”?
breaks Encryption
Provable-security: need a proof, a.k.a. security
reduction
.
Assume attacker
breaks scheme
,
Construct
from
that
solves a hard problem
.
Ex.1 Quantum Rewinding
runs and rewinds
till he’s happy;
Difficulty with quantum aux. state.
No-cloning!
Information gain
disturbance on .
?
So far, only can do quantum rewinding in special cases [
Wat09,Unr12
]. Slide4
Reductions may fail against
quantum attackers (Even if
is “quantum-hard
”)
Many PQC only prove against classical attackers
4What do We Mean by “Secure”?
breaks Encryption
Provable-security: need a proof, a.k.a. security
reduction
.
Assume attacker
breaks scheme
,
Construct
from
that solves a hard problem
.
Ex.2
Quantum Random Oracle
Classical proofs often treat hash function
as a random oracle.
Evaluate
Query
on
What if a quantum adversary makes superposition queries
?Many classical tricks do not (immediately) work.FYI: a line of beautiful works [
Zhandry’12’13,Unruh’Crypto14…]
Slide5
Main Result
: Characterize “Quantum-Friendly” reductions.Case 1: Class-Respectful ReductionsCommon case: adversary has quantum
inner working,
classical interaction with outside world.
Formalize sufficient conditions, simple to check.Application: (quantum-safe) one-way functions SignaturesAn efficient variant: XMSS [BHH11
] (Motivation of this work)Not surprising; just making routine work rigorous and easier Case 2: Class-Translatable ReductionsUnify a few previous works, e.g., Full-Domain Hash in QRO5What I Did in This WorkQ: What classical security reductions can go through against quantum attacks?
Side: Spell out Provable Quantum SecurityBefore “how”, be clear “what” to do to establish quantum security Slide6
6
Review: Provable Classical Security
C
A
One-Way Function Game
C
B
A
T
R
C
A
Existential-Unforgeable Signature
valid?
Computational Assumption
Security Requirement
Security Reduction
Want
Assume
Want
Usually consider poly-time adversaries
Use
Games
to formalize the following:Slide7
7
Provable Quantum Security
Formalize
Want
Classical
Quantum
Does there exist
,
s.t.
et
(consider quantum poly-time adversaries
only)
Formalize
Assume
Decide what is proper in your setting
e.g., allow quantum superposition queries?
Every
component
needs
a “quantum” inspection
Case 1: Game-Preserving
Classical games capture what quantum attackers can do, except for inner (quantum) computation power.
Case 2: Game-Updating
and/or
E.g., quantum RO, quantum-accessible signatures,…
Slide8
Basic Idea:
Given quantum adversary
that wins game
, find an “equivalent” classical adversary
.Apply classical reduction
and get . 8Lifting Game-Preserving Reductions
Two conditions to make the basic idea workDoes work on ? may not be poly-time.Is there a , s.t. ?
Definition.
and
are
-equivalent (
), if
.
: collection of classical adversaries for which there exists a
-equivalent poly-time quantum adversary.
Is
?
Slide9
Definition. A classical reduction
is
-
respectful
if
is -extendable: , is well defined on & .
is -closed: ,. 9Lifting Game-Preserving Reductions (Cont’d)
Extendibility usually holds and easy to verify.
Closedness
could be subtle
E
.g.
involves rewinding [
Unr10
].
But sometimes it is straightforward.
Theorem 1
. If
is
-respectful, then
for quantum
adv’s
.
Slide10
Claim
. If for any
,
is
Black-box:
uses as a black-box.Straight-line: When runs , it never goes back. Value-dominating:.Then is -closed. (
) 10A Useful Condition for Closedness
OWF
One-Time Signature
[
Lamport
]
Universal One-Way Hash Functions
[
Rompel
]
(Full-fledged)
Hash-Tree Signature
[
Merkle
]
Made common belief and some previous claim rigorous (e.g. [
IM’PQCrypto11
]).
Same holds for XMSS [
BDH11
]: more efficient OTS + (different) Hash tree.
More features not checked yet: e.g. forward security…
[Zhandry’Crypto13] showed that (with very nice techniques)
Collision-Resistant Hash Function
QQ-secure Signatures.
QQ: adversary can ask for superposition signing queries
.
Application
: Quantum-safe OWFs
Quantum-secure Signatures
Slide11
?
Upshot
: let an
interpreter
take you to the game-preserving land!
11
Lifting Game-Updating Reductions
Definition. A classical reduction
is
-translatable if
s.t.
,
is a “good” interpreter.
is
-respectful
.
Theorem 2
. If
is
-translatable, then there exists
.
Application: unify previous results
E.g., a more modular proof for Full-Domain Hash in Quantum RO. Slide12
Takeaways
To establish quantum security of a classical scheme, assumptions, security definitions, reductions all need to be re-examined.We’ve given characterizations for “quantum-friendly” reductions.Simple cases: there is a tool to ease the routine wok.
Future Directions
Apply and extend
our characterization and toolsMany straightforward applicationsMore interesting cases: rewinding, QRO, generic interpreter … Reinvestigate fundamental objects
PesudoRandomFunctions Quantum-accessible PRPermutations?May shed light on quantum unitary designs. Reduction has quantum access to adversary?A different flavor of game-updating reductions. E.g. Quantum Goldreich-Levin [AC’STACS02]12DiscussionsThank you!