/
Quantum Security for Post-Quantum Cryptography Quantum Security for Post-Quantum Cryptography

Quantum Security for Post-Quantum Cryptography - PowerPoint Presentation

tawny-fly
tawny-fly . @tawny-fly
Follow
464 views
Uploaded On 2016-12-12

Quantum Security for Post-Quantum Cryptography - PPT Presentation

Fang Song IQC University of Waterloo QuantumFriendly Reductions 2 How do quantum attacks change classical cryptography Cryptosystems based on the hardness of factoring and discretelog are ID: 500801

classical quantum reductions security quantum classical security reductions game adversary reduction hash attackers work time provable case poly breaks

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Quantum Security for Post-Quantum Crypto..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Quantum Security for Post-Quantum Cryptography

Fang SongIQC, University of Waterloo

-- “Quantum-Friendly” ReductionsSlide2

2

How do

quantum

attacks change classical cryptography?

Crypto-systems based on the hardness of factoring and discrete-log are

brokenFactoring and discrete-log are easy on a quantum computer [Shor’97]Relax…, there are “hard” problems for quantum computers Lattices, code-based, multivariate equations, Super-singular elliptic curve isogenies…

Unfortunately, this is not the end of the story…Slide3

Reductions may fail against

quantum attackers (Even if

is “quantum-hard

”)

Many PQC only prove against classical attackers  

3What do We Mean by “Secure”? 

  breaks Encryption 

Provable-security: need a proof, a.k.a. security

reduction

.

Assume attacker

breaks scheme

,

Construct

from

that

solves a hard problem

.

 

 

Ex.1 Quantum Rewinding

runs and rewinds

till he’s happy;

Difficulty with quantum aux. state.

No-cloning!

Information gain

 disturbance on .

 

 

?

 

 

 

So far, only can do quantum rewinding in special cases [

Wat09,Unr12

]. Slide4

Reductions may fail against

quantum attackers (Even if

is “quantum-hard

”)

Many PQC only prove against classical attackers  

4What do We Mean by “Secure”? 

  breaks Encryption 

Provable-security: need a proof, a.k.a. security

reduction

.

Assume attacker

breaks scheme

,

Construct

from

that solves a hard problem

.

 

 

Ex.2

Quantum Random Oracle

Classical proofs often treat hash function

as a random oracle.

Evaluate

Query

on

What if a quantum adversary makes superposition queries

?Many classical tricks do not (immediately) work.FYI: a line of beautiful works [

Zhandry’12’13,Unruh’Crypto14…]

 Slide5

Main Result

: Characterize “Quantum-Friendly” reductions.Case 1: Class-Respectful ReductionsCommon case: adversary has quantum

inner working,

classical interaction with outside world.

Formalize sufficient conditions, simple to check.Application: (quantum-safe) one-way functions  SignaturesAn efficient variant: XMSS [BHH11

] (Motivation of this work)Not surprising; just making routine work rigorous and easier Case 2: Class-Translatable ReductionsUnify a few previous works, e.g., Full-Domain Hash in QRO5What I Did in This WorkQ: What classical security reductions can go through against quantum attacks?

Side: Spell out Provable Quantum SecurityBefore “how”, be clear “what” to do to establish quantum security Slide6

6

Review: Provable Classical Security

C

A

 

One-Way Function Game  

 

 

C

B

 

 

A

T

R

 

C

A

 

Existential-Unforgeable Signature

 

 

 

 

valid?

 

Computational Assumption

Security Requirement

Security Reduction

Want

 

Assume

 

Want

 

Usually consider poly-time adversaries

Use

Games

to formalize the following:Slide7

7

Provable Quantum Security

 

 

 

Formalize

Want

 

Classical

Quantum

Does there exist

,

s.t.

et

 

(consider quantum poly-time adversaries

only)

 

Formalize

Assume

 

Decide what is proper in your setting

e.g., allow quantum superposition queries?

Every

component

needs

a “quantum” inspection

Case 1: Game-Preserving

Classical games capture what quantum attackers can do, except for inner (quantum) computation power.

Case 2: Game-Updating

and/or

E.g., quantum RO, quantum-accessible signatures,…

 Slide8

Basic Idea:

Given quantum adversary

that wins game

, find an “equivalent” classical adversary

.Apply classical reduction

and get . 8Lifting Game-Preserving Reductions

Two conditions to make the basic idea workDoes work on ? may not be poly-time.Is there a , s.t. ?  

 

 

 

 

 

 

 

 

 

Definition.

and

are

-equivalent (

), if

.

: collection of classical adversaries for which there exists a

-equivalent poly-time quantum adversary.

 

Is

?

 

 

 

 Slide9

Definition. A classical reduction

is

-

respectful

if

is -extendable: , is well defined on & .

is -closed: ,.  9Lifting Game-Preserving Reductions (Cont’d)

Extendibility usually holds and easy to verify.

Closedness

could be subtle

E

.g.

involves rewinding [

Unr10

].

But sometimes it is straightforward.

 

 

 

 

 

 

 

 

 

 

 

Theorem 1

. If

is

-respectful, then

for quantum

adv’s

.

 

 Slide10

Claim

. If for any

,

is

Black-box:

uses as a black-box.Straight-line: When runs , it never goes back. Value-dominating:.Then is -closed. (

) 10A Useful Condition for Closedness

 

 

OWF

One-Time Signature

[

Lamport

]

Universal One-Way Hash Functions

[

Rompel

]

(Full-fledged)

Hash-Tree Signature

[

Merkle

]

Made common belief and some previous claim rigorous (e.g. [

IM’PQCrypto11

]).

Same holds for XMSS [

BDH11

]: more efficient OTS + (different) Hash tree.

More features not checked yet: e.g. forward security…

[Zhandry’Crypto13] showed that (with very nice techniques)

Collision-Resistant Hash Function

QQ-secure Signatures.

QQ: adversary can ask for superposition signing queries

.

 

Application

: Quantum-safe OWFs

Quantum-secure Signatures

 Slide11

 

 

 

?

 

Upshot

: let an

interpreter

take you to the game-preserving land!

11

Lifting Game-Updating Reductions

 

 

 

 

 

 

 

 

 

 

 

 

Definition. A classical reduction

is

-translatable if

s.t.

,

is a “good” interpreter.

is

-respectful

.

 

Theorem 2

. If

is

-translatable, then there exists

.

 

Application: unify previous results

E.g., a more modular proof for Full-Domain Hash in Quantum RO. Slide12

Takeaways

To establish quantum security of a classical scheme, assumptions, security definitions, reductions all need to be re-examined.We’ve given characterizations for “quantum-friendly” reductions.Simple cases: there is a tool to ease the routine wok.

Future Directions

Apply and extend

our characterization and toolsMany straightforward applicationsMore interesting cases: rewinding, QRO, generic interpreter … Reinvestigate fundamental objects

PesudoRandomFunctions  Quantum-accessible PRPermutations?May shed light on quantum unitary designs. Reduction has quantum access to adversary?A different flavor of game-updating reductions. E.g. Quantum Goldreich-Levin [AC’STACS02]12DiscussionsThank you!