Computing World Dan Boneh and Mark Zhandry Stanford University - - PowerPoint PPT Presentation

computing world
SMART_READER_LITE
LIVE PREVIEW

Computing World Dan Boneh and Mark Zhandry Stanford University - - PowerPoint PPT Presentation

Feb 20, 2023 125 likes •344 views

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

slide-1
SLIDE 1

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World

Dan Boneh and Mark Zhandry Stanford University

slide-2
SLIDE 2

Classical Chosen Message Attack (CMA)

signing key sk

σ = S(sk, m) m

slide-3
SLIDE 3

Classical CMA + Quantum Computer

Adversary has quantum computing power: Interactions remain classical ⇒ classical proofs often carry through

σ = S(sk, m) m

signing key sk (post-quantum CMA)

slide-4
SLIDE 4

Everyone is quantum ⇒ quantum queries Quantum interactions ⇒ need quantum proofs

This Talk: Quantum CMA

Extends [ BDFLSZ’11, DFNS’11, Z’12a, Z’12b, BZ’13a ]

m σ

signing key sk Superposition of all messages Signatures on all messages

slide-5
SLIDE 5

An Emerging Field

Many classical security games have quantum analogs:

  • Quantum secret sharing, zero knowledge [ DFNS’11 ]
  • Quantum-secure PRFs [ Z’12b ]
  • Quantum CMA for MACs [ BZ’13a ]
  • Quantum-secure non-malleable commitments ???
  • Quantum-secure IBE, ABE, FE ???
  • Quantum-secure identification protocols ???
slide-6
SLIDE 6

Motivation

Quantum world ⇒ unforeseen exotic attacks?

  • Use most conservative model

Objection: can always “classicalize” queries

  • Burden on hardware designer
  • What if adversary can bypass?

Quantum-secure crypto: no need to classicalize

m m

slide-7
SLIDE 7

Quantum Security: Signature Definition

Existential forgery: q quantum queries ⇒ q+1 (distinct) signatures q queries

m σ (m0, σ0), …, (mq, σq)

signing key sk

slide-8
SLIDE 8

Building Quantum-Secure Signatures

Separation: Difficulties in proving quantum security:

  • Aborts seem problematic
  • Reduction must sign entire superposition correctly
  • Existing proof techniques [ Z’12b, BZ’13a ] leave query intact
  • Known limitations in quantum setting:
  • MPC [ DFNS’11 ]
  • Fiat-Shamir in QROM [ DFG’13 ]
  • Cannot prove security for unique signatures (Ex: Lamport)

Theorem: ∃classical CMA secure schemes that are not quantum CMA secure

slide-9
SLIDE 9

Building Quantum-Secure Signatures

First attempt: do classical constructions work? Examples:

  • From lattices [ CHKP’10, ABB’10 ]
  • Using random oracles [ BR’93, GPV’08 ]
  • From generic assumptions [ Rom’90 ]

Short answer: sometimes yes, with small modifications

slide-10
SLIDE 10

Hash and Sign

Many classical signature schemes hash before signing: Classical Advantages:

  • Only sign small hash  more efficient
  • Weak security requirements for S’ if H modeled as random oracle

Our Goal:

  • Prove quantum security of S assuming only classical security of S’

S H S’

m h σ sk

V

slide-11
SLIDE 11

First Step: Simulate using only classical queries to S’ Problem: exponentially many h  must query S’ too many times

Quantum Security of Hash and Sign

H

sk m h σ

Success prob: ε

S’

V

(m0, σ0), …, (mq, σq)

slide-12
SLIDE 12

Small Range Distributions [ Z’12b ]

Quantum simulation tool: Let P: M  [r] , Q: [r]  H be random functions

P Q

Theorem [ Z’12b ]: Q○P ≈ H for large enough (polynomial) r

H

m h i m h

?

slide-13
SLIDE 13

Now S’ only queried on r inputs  Can simulate Next Step: Use one of the σi as a forgery for S’ Problem: # of sigs ( q+1 ) << # of S’ queries ( r )

Step 1: Use S.R. Distribution for H

sk m h σ

P Q

i

Success prob: ε/2

S’

V

(m0, σ0), …, (mq, σq)

slide-14
SLIDE 14

Intermediate Measurement

New quantum simulation technique:

x y in

  • ut

Success prob: σ

x y in

  • ut

Theorem: Success prob: ≥σ/t

x

t possible outcomes

slide-15
SLIDE 15

Only q queries to S’  One of the σi must be forgery for S’ Success probability non-negligible for constant q

Step 2: Measure Output of P

S’

sk m

P Q

i

Success prob: ε/2rq

i h σ

V

(m0, σ0), …, (mq, σq)

slide-16
SLIDE 16

Many-time Secure Scheme

To sign each message, draw

  • A random salt
  • A pairwise indep function R

S R

sk

H

m salt σ, salt h r

S’

V $

Theorem: If S’ is classical many-time secure, then S is quantum many-time secure

slide-17
SLIDE 17

Other Signature Constructions

  • Uses entirely different techniques

Non-Random Oracle Schemes:

  • Follow-up work: signatures from one-way functions

Theorem: Collision resistance ⇒ quantum-secure signatures Theorem: (Slight variant of) GPV is quantum-secure Theorem: Generic conversion using Chameleon hash

slide-18
SLIDE 18

Quantum Chosen Ciphertext Attack

What if adversary can learn decryptions of superpositions

  • f ciphertexts?

Adversary attempts to break classical semantic security

c m

decryption key sk

slide-19
SLIDE 19

Quantum CCA Encryption

Our results: Separation: Two constructions: Theorem: ∃classical CCA secure schemes that are not quantum CCA secure Theorem: OWF ⇒ Symmetric key quantum CCA Theorem: LWE ⇒ Public key quantum CCA

slide-20
SLIDE 20

Summary & Open Problems

Classical security does not imply quantum security Quantum-secure signatures:

  • In the (quantum) random oracle model (inc. GPV sigs)
  • Using a chameleon hash
  • From collision resistance

Quantum CCA encryption: both symmetric and public key Open Problems:

  • Quantum security of Fiat Shamir signatures?
  • Quantum security of CBC-MAC, NMAC, PMAC?
slide-21
SLIDE 21

Thanks!