cryptosystems in a
play

CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University - PowerPoint PPT Presentation

Jan 27, 2024 •382 likes •1.05k views

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without trusted setup and with small

  1. CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry – Stanford University * Joint work with Dan Boneh

  2. But First: My Current Work Indistinguishability Obfuscation (and variants) • Multiparty NIKE without trusted setup and with small parameters • Broadcast encryption with short ciphertexts and secret/public keys • Traitor tracing with short ciphertexts and secret/public keys • More to come Talk at NYU 2:30pm Tomorrow (11/20). Ask me for details Multilinear Maps • Can above primitives be built directly from multilinear maps?

  3. Back to Quantum

  4. Classical Crypto Ex: CCA encryption sk pk c = E(pk,m) Computational power and interactions are classical

  5. Quantum Computing Attack Aka: Post-quantum crypto Adversary has quantum computer: sk = (N,d) pk = (N,e) c = E(pk,m) N  p,q ( Shor’s alg) Interactions remain d = e -1 mod ϕ (N) classical m = D(sk,c)

  6. Defending against Quantum Computing Attacks Need crypto based on hard problems for quantum computers • Ex: lattice problems Classical security proofs (reductions) often carry through • Many reductions treat adversary as black box • Classical interactions  simulate adversary using classical techniques • Ex: OWF  PRF, IBE  CCA encryption, etc. • Exception: rewinding

  7. This Talk: Quantum Channel Attacks All parties have quantum computers sk pk c = E(pk,m) Computational power and interactions are quantum

  8. Quantum Background x = Measurement: x x (Output x with probability |α x | 2 ) Can perform any classical op: y = x F

  9. Motivation Objection: Can always measure incoming query sk pk c = E(pk,m) Attack reduced to classical channel attack

  10. Motivation Objection: Can always measure incoming query Answer: Implementing measurement securely is non-trivial • Measurement is physical – must trust hardware • What if adversary has access to device? • Only way to be certain: entangle fully with query • Requires quantum storage ≥ total data measured. Conservative approach to crypto: Use schemes secure against quantum channel attacks

  11. Proving Quantum Security Main difficulty: simulation • Adversary may query on superposition of all inputs • Exact simulation: • need an answer at every point • Distribution of all answers must be same as real setting Possible solutions: • Find reduction that answers every point correctly • Distribution of answers indistinguishable from real setting • Answer incorrectly on some inputs*

  12. What’s to come • Encryption • Pseudorandom functions • Message authentication codes • Signatures (if time)

  13. Encryption

  14. Quantum CCA Attack pk (sk,pk)  G() b  {0,1} CCA Queries c’ D sk > m ’ Challenge m b E pk > D c (sk,c ’)= D(sk,c ’) if c’≠c CCA Queries b’ c’ ⊥ if c’=c D c m ’ sk >

  15. Proving security against quantum CCA Goal: find reduction that can decrypt all queries except challenge Reduction can compute all decryption keys except challenge Example: ABB’10 selective IBE + selective IBE  CCA Reduction can decrypt every ciphertext but challenge • Needs all decryption keys but challenge

  16. Pseudorandom Functions

  17. Pseudorandom Functions Recall classical def: b  {0,1} b=0: b=1: k  K F  Funcs(X,Y) F( ・ )=F(k, ・ ) x F y b’

  18. Quantum Security for PRFs b  {0,1} b=0: b=1: k  K F  Funcs(X,Y) F( ・ )=F(k, ・ ) x F y b’

  19. The GGM Construction

  20. Pseudorandom Generators S s Y G ≈ y G 0 (s) G 1 (s)

  21. The GGM Construction S k x 0 ⟶ G x 1 ⟶ G G x 2 ⟶ G G G G F k (000) F k (001) F k (010) F k (011) F k (100) F k (101) F k (110) F k (111)

  22. Quantum Security Proof? Follow classical steps: Step 1: Hybridize over levels of tree

  23. Hybridize Over Levels Hybrid 0

  24. Hybridize Over Levels Hybrid 1

  25. Hybridize Over Levels Hybrid 2

  26. Hybridize Over Levels Hybrid 3

  27. Hybridize Over Levels Hybrid n

  28. Hybridize Over Levels PRF distinguisher will distinguish two adjacent hybrids Y Y Y Y Y Y Y Y Y Y Y Y

  29. Hybridize Over Levels PRF distinguisher will distinguish two adjacent hybrids S S S S S S S S Y Y Y Y Y Y Y Y

  30. Quantum Security Proof? Follow classical steps: ✓ Step 1: Hybridize over levels of tree Step 2: Simulate hybrids using PRG/Random samples

  31. Simulating Hybrids S S S Y Y Y S S S S S S S S Y Y Y Y Y Y Y Y

  32. How It Was Done Classically Active node: value used to answer query Only need to fill active nodes Adversary only queries polynomial number of points

  33. Quantum Simulation? Adversary can query on all exponentially-many inputs

  34. Quantum Simulation? All nodes are active! Adversary can query on all exponentially-many inputs Cannot simulate exactly with polynomial samples!

  35. A Distribution to Simulate Any distribution D on values induces a distribution on functions For all x ∈ X : y x  D H(x) = y x D D D D D D D D D D D D D D D D H : D x

  36. Simulating Hybrids Goal: simulate D X using poly samples of D G X U X S S S S S S S S Y Y Y Y Y Y Y Y

  37. Attempt 1: Systematic D D D D y 1 y 2 y 3 y 4 H(x) = y x mod r y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 y 1 y 2 y 3 y 4 H is periodic  period learnable by quantum algorithms

  38. Attempt 2: Random D D D D y 1 y 2 y 3 y 4 R  Funcs([r],X) H(x) = y R(x) y 4 y 3 y 1 y 3 y 2 y 4 y 4 y 4 y 1 y 2 y 2 y 2 y 2 y 3 y 3 y 2 X (D) Called small range distributions, SR r

  39. Small Range Distributions Theorem : SR r X (D) is indistinguishable from D X by any q - query quantum algorithm, except with probability O(q 3 /r) Notes: • Highly non-trivial • Distinguishing prob not negligible, but good enough • We get to choose r • Random function R not efficiently constructible • [Zha’12a] Can simulate R using k -wise independence

  40. Quantum GGM Proof S S S S S S S S Y Y Y Y Y Y Y Y PRF distinguisher will distinguish two adjacent hybrids ≈ ≈ (SR distributions) (SR distributions) S S S S Y Y Y Y

  41. Quantum Security Proof? Follow classical steps: ✓ Step 1: Hybridize over levels of tree Step 2: Simulate hybrids approximately using ✓ PRG/Random samples ✓ Step 3: Hybrid over samples

  42. Quantum GGM Proof S S S S S S S S Y Y Y Y Y Y Y Y PRF distinguisher will distinguish two adjacent hybrids ≈ ≈ (SR distributions) (SR distributions) S S S S Y Y Y Y ≈ (PRG security)

  43. Message Authentication Codes (MACs)

  44. Message Authentication Codes (MACs) Recall classical def: K  {0,1} λ m 1 m i m 2 S k > σ i … m,σ Requirements: V( k,m,σ ) accepts, m ≠ m i for any i

  45. Quantum Security? K  {0,1} λ m ? 1 m i m 2 S k > σ i … m,σ Cannot copy quantum info! Requirements: • Must define success without V( k,m,σ ) accepts, reference to queries m ≠ m i for any i

  46. Quantum Security K  {0,1} λ q queries m i S k > σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Adversary must produce q+1 (distinct) forgeries after making q queries

  47. PRF as a MAC Try classical construction: σ x x S S F F k k > > = σ =F(x) accept/reject

  48. Security of PRF as a MAC K  {0,1} λ q queries m i F k > σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Adversary must produce q+1 (distinct) input/output pairs of F after making q queries

  49. Security of PRF as a MAC Replace F with a random function F  Funcs(M,T) q queries m i F σ i (m 0 *,σ 0 *),..., (m q *, σ q *) Oracle Interrogation: Adversary must produce q+1 (distinct) input/output pairs of random function after making q queries

  50. Quantum Oracle Interrogation Classically: hard Adv[ q+1 points]: 1/|T| ( 1/2 n for n -bit tags) Quantum: not so fast [vD’98]: random function F: X  {0,1} q quantum queries ⇒ 1.9q points w.h.p. Also true for small range size: random function F: X  {0,1} 2 ex: q quantum queries ⇒ 1.3q points w.h.p. Question: What about large range size?

  51. Quantum Oracle Interrogation Our result: Theorem: Random function F: X  T Adv[ q queries ⇒ q+1 points] ≤ (q+1)/|T| (only lose factor of q+1 relative to classical case) Highly nontrivial • Invented new quantum impossibility tool: The Rank Method Takeaway: Quantum Oracle Interrogation easier, but still hard

  52. Back to MAC Security Classical CMA: secure PRF ⇒ secure MAC (Adv: 1/|T| ) Quantum CMA: quantum-secure PRF ⇒ quantum-secure MAC (Adv: (q+1)/|T| ) Both cases: MAC size super-logarithmic ⇒ MAC is secure

  53. Signatures

  54. Signatures Naturally extend MAC definition pk (sk,pk)  G() q queries m i S sk > σ i (m 0 *,σ 0 *),..., (m q *, σ q *)

  55. Proof Difficulties Aborts are problematic • Can’t both abort and continue Adversary can tell if signatures are invalid • Need to sign all messages correctly Previous quantum proof techniques leave query intact • Known limitations in quantum setting: • MPC [ DFNS’11 ] • Fiat-Shamir in QROM [ DFG’13 ] • Cannot prove security for unique signatures (Ex: Lamport)

  56. Building Quantum-Secure Signatures First attempt: do classical constructions work? Examples: • From lattices [ CHKP ’10, ABB’ 10 ] • Using random oracles [ BR ’93, GPV’08 ] • From generic assumptions [ Rom ’ 90 ] Short answer: sometimes yes, with small modifications

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

CS 598 - COMPUTER SECURITY IN THE PHYSICAL WORLD Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan What are cryptosystems? - A suite of cryptographic algorithms (generation, encryption and

834 views • 16 slides
T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2 1 2.1 Classical Cryptosystems Ceasar Cipher, or Shift Cipher

555 views • 21 slides
The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit at Weimar,

715 views • 48 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

ECRYPT: Achievements and Perspectives Antwerp / May 27, 2008 PROVILAB Focus 2 Secure Multiparty Computation Based on Threshold Homomorphic Cryptosystems Berry Schoenmakers Coding & Crypto group Dept. Math & CS TU Eindhoven Outline

583 views • 13 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides
Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on every request! Authorization Making sure a user can only get to information they are supposed to see Making sure a user can only perform

801 views • 30 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
CS 333 Introduction to Operating Systems Class 19 - Security Jonathan Walpole Computer Science

CS 333 Introduction to Operating Systems Class 19 - Security Jonathan Walpole Computer Science

CS 333 Introduction to Operating Systems Class 19 - Security Jonathan Walpole Computer Science Portland State University Overview Different aspects of security User authentication Protection mechanisms Attacks

1.75k views • 99 slides
SMART CITIES Conference route.Plexor Alen Orbani PhD UP IAM/Abelium Challenges GPS data

SMART CITIES Conference route.Plexor Alen Orbani PhD UP IAM/Abelium Challenges GPS data

SMART CITIES Conference route.Plexor Alen Orbani PhD UP IAM/Abelium Challenges GPS data from vehicles GIS data about infrastructure Logistic challenges Winter service (planning, execution) Port of Koper, container terminal

351 views • 14 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions Prof. Nadim Kobeissi 1.1a Why Hash Functions? Describing the importance of the cryptographers Swiss Army knife. 2 CSCI-UA.9480:

569 views • 34 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
CSE 115 Introduction to Computer Science I Happy last day! FINAL EXAM Tuesday, December 11,

CSE 115 Introduction to Computer Science I Happy last day! FINAL EXAM Tuesday, December 11,

CSE 115 Introduction to Computer Science I Happy last day! FINAL EXAM Tuesday, December 11, 2018 7:15 PM - 10:15 PM SOUTH CAMPUS (Bus schedules posted) Room assignments ROOM LAST NAMES DFN 146 Abbot - Deslippe DFN 147 Dingel -

387 views • 13 slides

More recommend