cryptography in the age of quantum computers
play

Cryptography in the Age of Quantum Computers Mark Zhandry MIT - PowerPoint PPT Presentation

Dec 30, 2023 •279 likes •865 views

Cryptography in the Age of Quantum Computers Mark Zhandry MIT Based on joint works with: Dan Boneh, zgr Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner Typical Crypto Application m ! Solution: (Private Key) Encryption c ! c

  1. Cryptography in the Age of Quantum Computers Mark Zhandry – MIT Based on joint works with: Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner

  2. Typical Crypto Application m !

  3. Solution: (Private Key) Encryption c ! c = Enc( , m) ! m = Dec( , c) ! c ! + ! � m ! Major question: How is security defined?

  4. Definition 1: 1-time security For any m 0 ,m 1 : ≈! c 0 = Enc( , m 0 ) ! c 1 = Enc( , m 1 ) ! Statistical security: statistical closeness • [Sha’49]: | | ≥ |m| ! Computational security: computational indistinguishability • Restrict adversaries running efficiently • Now possible to have | | << |m| ! Question : what if I encrypt a second message?

  5. Definition 2: CPA Security Indistinguishability under chosen plaintext attack Challenger Adversary Random bit b , Random key m 0 , m 1 ! c = Enc( , m b ) ! c ! b’ ! Def: CPA-Security � � efficient , | Pr[b’=b] – � | < negl !

  6. Definition 3: CCA Security Indistinguishability under chosen ciphertext attack Challenger Adversary Random bit b , Random key Empty table T ! m 0 , m 1 ! c = Enc( , m b ) ! c ! Add c to T ! c ! m = Dec( , c) ! m if c � T ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  7. Other Scenarios Circular security: Enc( , ) ! Side-channel attacks: f( ) ! Takeaway: Models should give adversary as much power as possible !

  8. Quantum Computers So far, assumed adversary obeys classical physics What about quantum physics? Quantum computing = using quantum physics to perform certain computations • Active research area • [Sho’94]: quantum computers can break lots of crypto

  9. Post-Quantum CCA Security Interaction still classical Challenger Adversary Random bit b , Random key Empty table T ! m 0 , m 1 ! c = Enc( , m b ) ! c ! Add c to T ! c ! m = Dec( , c) ! m if c � T ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  10. Post-Quantum Security Post-quantum = end-users are classical All interaction is classical

  11. Full Quantum Security Full quantum = end-users are quantum Quantum messages

  12. Quantum Background Quantum states: m = superposition of all messages = �� m |m ⟩ ( � | � m | 2 = 1) ! Measurement: m m with probability | � m | 2 ! Simulate classical ops in superposition: m F(m) ! = �� m |F(m) ⟩ F !

  13. Full Quantum CCA Security? Challenger Adversary Random bit b , Random key m 0 , m 1 ! c = Enc( , m b ) ! c ! c ! m = Dec( , c ) ! m ! b’ ! Def: CCA-Security � � efficient , | Pr[b’=b] – � | < negl !

  14. Are Full Quantum Attacks Plausible? Objection: can always “classicalize” by sampling m ! m ! c ! � Reduce attack to post-quantum attack! Reasons to still use full quantum notions: • Classicalization is burden on hardware designer • What if adversary can bypass? • Classicalization amounts to a hardware assumption

  15. This Work [BDFLSZ’11,Zha’12a,Zha’13]: Quantum random oracle model [Zha’12b]: Pseudorandom functions [BZ’13a]: Message Authentication Codes [BZ’13b]: Digital signatures and encryption Theorem: Full-quantum security > Post-quantum security ! Theorem (Informal): Full-quantum security can be obtained with “minimal” overhead w.r.t. post-quantum security !

  16. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Classical security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: Security � � efficient , | Pr[b’=b] – � | < negl !

  17. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Post-quantum security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: PQ-Security � � efficient , | Pr[b’=b] – � | < negl !

  18. Example: Pseudorandom Functions [GGM’84] Efficient keyed functions that “look like” random functions • Fundamental building block in symmetric crypto Full-quantum security: Choose random bit b ! x ! PRF ! F(x) ! F ! b=1 ! Func(X,Y) ! b’ ! Def: FQ-Security � � efficient , | Pr[b’=b] – � | < negl !

  19. How to build QPRFs? Hope that existing PQ-secure PRFs are FQ secure Examples: GGM, NR, BPR Questions: • Do classical security analyses carry over? • If not, what new tools are needed?

  20. Pseudorandom Generators S ! s ! Y ! G ! ≈! G 0 (s) ! G 1 (s) ! y ! Indistinguishable by efficient quantum adversaries

  21. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  22. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  23. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  24. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  25. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  26. The GGM Construction S ! k ! x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) ! F k (001) ! F k (010) ! F k (011) ! F k (100) ! F k (101) ! F k (110) ! F k (111) !

  27. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher Step 1: Hybridize over levels of tree

  28. Hybridize Over Levels S ! Hybrid 0 :

  29. Hybridize Over Levels S ! S ! Hybrid 1 :

  30. Hybridize Over Levels Hybrid 2 : S ! S ! S ! S !

  31. Hybridize Over Levels Hybrid 3 : S ! S ! S ! S ! S ! S ! S ! S !

  32. Hybridize Over Levels Hybrid n : S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S !

  33. Hybridize Over Levels Distinguish PRF from Func(X,Y) with adv. ε Distinguish two adjacent hybrids with adv. ε /n ! n polynomial � acceptable loss S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S ! S !

  34. Hybridize Over Levels Distinguish PRF from Func(X,Y) with adv. ε Distinguish two adjacent hybrids with adv. ε /n ! n polynomial � acceptable loss S ! S ! S ! S ! S ! S ! S ! S ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Argument carries over to quantum setting unmodified

  35. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree Step 2: Simulate hybrids using PRG/Random samples

  36. Simulating Hybrids S ! S ! S ! Y ! Y ! Y ! Distinguisher for several samples S ! S ! S ! S ! S ! S ! S ! S ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Y ! Hybrid distinguisher

  37. How It Was Done Classically Active node: value used to answer query � need poly-many samples Only need to fill active nodes Adversary only queries polynomial number of points

  38. Quantum Simulation? Adversary can query on all exponentially-many inputs

  39. Quantum Simulation? All nodes are active! Adversary can query on all exponentially-many inputs Need exponentially many samples to simulate!

  40. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree ? Step 2: Simulate hybrids using PRG/Random samples Step 3: Hybrid over samples

  41. Hybrid Over Samples S ! S ! S ! Y ! Y ! Y ! Distinguisher for t samples with advantage ε S ! Distinguisher for 1 sample Y ! with advantage ε /t ! Argument carries over to quantum setting unmodified

  42. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree ? Step 2: Simulate hybrids using PRG/Random samples � Step 3: Hybrid over samples • Exponential samples � exponential security loss • Can only handle poly-many samples

  43. Quantum Security Proof? Idea: follow classical steps • Turn PRF distinguisher into PRG distinguisher � Step 1: Hybridize over levels of tree X Step 2: Simulate hybrids using PRG/Random samples � Step 3: Hybrid over samples • Exponential samples � exponential security loss • Can only handle poly-many samples

  44. A Distribution to Simulate Distribution D on Y � induces distribution on functions For all x � X : ! y x ! D ! ! H(x) = y x D D D D D D D D D D D D D D D D H : H ! D X ! Goal: simulate using poly-many samples

  45. Solution: Small-Range Distributions D D D R ! Funcs(X, [r]) ! H(x) = y R(x) ! … ! y 1 ! y 2 ! y r ! y 4 ! y 3 ! y 1 ! y 3 ! y 2 ! y 4 ! y 4 ! y 4 ! y 1 ! y 2 ! y 2 ! y 2 ! y 2 ! y 3 ! y 3 ! y 2 ! H : H ! SR r X (D) !

  46. Small-Range Distributions Theorem : SR r X (D) is indistinguishable from D X by any q - query quantum algorithm, except with advantage O(q 3 /r) ! Notes: • Highly non-trivial • Distinguishing prob not negligible, but good enough • We get to choose r ! • Random function R not efficiently constructible Theorem : Can simulate R using k -wise independence

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction &quot; Cryptography and Relativity &quot; Quantum Algorithms &quot; Quantum Computers !

227 views • 11 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Quantum Cryptography Mris Ozols University of Cambridge Overview What are quantum

Quantum Cryptography Mris Ozols University of Cambridge Overview What are quantum

Quantum Cryptography Mris Ozols University of Cambridge Overview What are quantum computers? What is quantum cryptography? - Shor's algorithm for factoring - Quantum key distribution - Device-independent quantum cryptography What

630 views • 34 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist? Geordie Rose and his D-Wave quantum computer Commercial devices Quantum cryptography device by id

1.29k views • 112 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; &amp; Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information (and generate

455 views • 19 slides
COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTING COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules to perform calculations billions of times faster than todays silicon-based computers. They will also enable new revolutionary

299 views • 6 slides
Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice outwits Eve, by Samuel Lomonaco Jr. and Quantum Computing by Andr Bertiaume. The Classical World - Bits either 0 or 1. - Bits can be copied.

639 views • 11 slides
Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do? Outline Quantum technology Quantum computing What is the advantage? The qubits Operating the quantum computer Quantum computing initiatives

475 views • 31 slides
Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum Computers are just like regular computers, they crunch numbers Quantum Computers Quantum Computers are just like regular computers, they crunch

926 views • 74 slides
You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 April 2016 1 / 33 Cryptography Motivation

1.01k views • 57 slides
Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Definitions Constructions Active Adversaries Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv University January 3 17, 2012 Definitions Constructions Active Adversaries Section 1

1.33k views • 112 slides
Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

CSE 127: Computer Security Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko and Dan Boneh Cryptography Cryptography Is: A tremendous tool The basis for many security mechanisms

783 views • 67 slides
Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen

Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen

Policy Cryptography Network Security Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen Penultimate Review Policy Cryptography Network Security 1 Policy Information Security Framework Defining

538 views • 32 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Communication Systems Firewalls University of Freiburg Computer Science Computer Networks and

Communication Systems Firewalls University of Freiburg Computer Science Computer Networks and

Communication Systems Firewalls University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Organization I. Data and voice communication in IP networks II. Security issues in networking

909 views • 39 slides
Computer Worms A program that copies itself from one computer to another Origins:

Computer Worms A program that copies itself from one computer to another Origins:

Computer Worms A program that copies itself from one computer to another Origins: distributed computations Schoch and Hupp: animations, broadcast messages Segment: part of program copied onto workstation Segment processes

861 views • 35 slides
...Let them hate so long as they fear... oderint dum metuant /WARNING!/:

...Let them hate so long as they fear... oderint dum metuant /WARNING!/:

#UFONet = ( To0L.AlienWare ) / ninja [ DDoS + DoS ] \ (multi- ProXY / DarkNet ( HTTP(s) / WebAbuse [ Layer7 ] ) +(extra[Layer3]+d0rKng+eVas(h)iVe(CA- che/ge0) +FngPrinting+ sTAT[RanKiNgs+F0RuMS + WarGameS (P2P/ClAns-RanKings)] Denial of

690 views • 51 slides
Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack every computer that we own. Most

503 views • 48 slides

More recommend