post quantum security of symmetric key schemes
play

(post-)quantum security of symmetric key schemes NTT Secure - PowerPoint PPT Presentation

May 07, 2023 •166 likes •738 views

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

  1. Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13)

  2. Introduction

  3. Quantum Attacks against Symmetric Cryptosystems? It has been said that symmetric key schemes would not to be much affected by quantum computers

  4. Known Quantum Attacks :~2010 Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) “2n - bit key suffices”

  5. Known Quantum Attacks : Today Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) Key Recovery on Polynomial time 𝑃(2 𝑜/2 ) Even-Mansour Forgery against Polynomial time 𝑃(2 𝑜/2 ) CBC-MAC Remark : The last two attacks assumes that quantum keyed oracles are available

  6. Quantum Attacks against Symmetric Cryptosystems? It has been said that symmetric key schemes would not to be much affected by quantum computers Symmetric key schemes may be significantly affected !! ・ Attacks by Kuwakado and Morii at ISIT2010, ISITA2012 ・ Attacks by Kaplan et al. at CRYPTO2016

  7. Quantum Attacks against Symmetric Cryptosystems? It has been said that symmetric key schemes would not to be much affected by quantum computers Symmetric key schemes may be significantly affected !! ・ Attacks by Kuwakado and Morii at ISIT2010, ISITA2012 ・ Attacks by Kaplan et al. at CRYPTO2016 Post-quantum security of symmetric schemes should be analyzed more carefully

  8. Attack Models Chosen Plaintext Attack Enc. Oracle Message Ciphertext Computer Adversary

  9. Attack Models Chosen Plaintext Attack Chosen Plaintext Attack Q1 model, classical query Enc. Enc. Oracle Oracle Message Ciphertext Message Ciphertext Quantum Computer Computer Adversary Adversary

  10. Attack Models Chosen Plaintext Attack Chosen Plaintext Attack Q2 model, quantum query Enc. Quantum Enc. Oracle Oracle Quantum Quantum Message Ciphertext Superposed Superposed Ciphertext Message Quantum Computer Computer Adversary Adversary

  11. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on white-box implementations A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  12. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  13. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  14. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  15. Question: Why should we consider quantum query attacks? A1. Classical algorithms can be converted into quantum algorithms quantum query attacks on obfuscated implementations? A2. Quantum query attacks lead to more realistic [classical query + quantum computation] attacks Ex.) Offline Simon’s algorithm at Asiacrypt 2019. A3. For hash functions, quantum query attacks are natural A4. If a scheme is secure against quantum query attacks, it can be used in cryptographic applications that run on quantum computers.

  16. Quantum Query Attacks

  17. Known Quantum Attacks : Today Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) Key Recovery on Polynomial time 𝑃(2 𝑜/2 ) Even-Mansour Forgery against Polynomial time 𝑃(2 𝑜/2 ) CBC-MAC Remark : The last two attacks assumes that quantum keyed oracles are available

  18. Known Quantum Attacks : Today Classical Quantum Exhaustive 𝑃(2 𝑜 ) 𝑃(2 𝑜/2 ) Key Search Simon’s algorithm Collision Finding 𝑃(2 𝑜/2 ) 𝑃(2 𝑜/3 ) Key Recovery on Polynomial time 𝑃(2 𝑜/2 ) Even-Mansour Forgery against Polynomial time 𝑃(2 𝑜/2 ) CBC-MAC Remark : The last two attacks assumes that quantum keyed oracles are available

  19. Simon’s period finding algorithm Problem Suppose 𝑔: {0,1} 𝑜 → 𝑇 and s ∈ {0,1} 𝑜 satisfy ∀𝑦 ∈ 0,1 𝑜 𝑔 𝑦 ⊕ 𝑡 = 𝑔(𝑦) Given an oracle access to 𝑔 , find 𝑡 . Classical algorithms: Exponential time Simon’s quantum algorithm: Polynomial time [Sim97] [Sim97] Daniel R Simon. On the power of quantum computation. SIAM journal on computing , 26(5):1474 – 1483, 1997.

  20. Simon’s period finding algorithm Problem Suppose 𝑔: {0,1} 𝑜 → 𝑇 and s ∈ {0,1} 𝑜 satisfy ∀𝑦 ∈ 0,1 𝑜 𝑔 𝑦 ⊕ 𝑡 = 𝑔(𝑦) Given an oracle access to 𝑔 , find 𝑡 . To mount poly-time attacks, it is important to reduce Classical algorithms: Exponential time the target problem to Simon’s problem Simon’s quantum algorithm: Polynomial time [Sim97] [Sim97] Daniel R Simon. On the power of quantum computation. SIAM journal on computing , 26(5):1474 – 1483, 1997.

  21. Key-Recovery Attack on Even-Mansour 𝑙 1 𝑙 2 Even-Mansour cipher 𝐹 𝑙 1 ,𝑙 2 𝑄 (P:public permutation) Quantum CPA against Even-Mansour ciphers 𝑔 𝑦 = 𝐹 𝑙 1 ,𝑙 2 𝑦 ⊕ 𝑄(𝑦) satisfies 𝑔 𝑦 ⊕ 𝑙 1 = 𝑔(𝑦) • We can recover 𝑙 1 in polynomial time with Simon’s algorithm • 𝑙 2 can easily be recovered since we have 𝐹 𝑙 1 ,𝑙 2 𝑦 ⊕ 𝑄 𝑦 ⊕ 𝑙 1 = 𝑙 2 [KM12] H. Kukakado and M. Morii: Security on the quantum-type Even-Mansour cipher. ISITA 2010.

  22. Various MACs/AEs are broken in poly- time… If quantum queries are allowed, Simon’s algorithm breaks – CBC-MAC – PMAC 𝛽 𝑐 𝑦 – GMAC – GCM 𝐹 𝑙 1 𝐹 𝑙 1 – OCB … 𝐹 𝑙 2 In polynomial time ! 𝑔 𝑐 𝑦 M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-Plasencia: Breaking symmetric cryptosystems using quantum period finding (CRYPTO 2016)

  23. Luby-Rackoff (Feistel) Construction Security in the classical setting PRP? (secure SPRP? (secure against CPA?) against CCA?) × × 2-round 〇 × 3-round 〇 〇 4-round 〇 〇 5-round M. Luby, C. Rackoff: How to construct pseudo-random permutations from pseudorandom functions (CRYPTO '85)

  24. Luby-Rackoff (Feistel) Construction Security in the quantum setting PRP? (secure SPRP? (secure against CPA?) against CCA?) × × 2-round × [KM10] × 3-round 〇 [HI19] × [IHMSI19] 4-round 〇 [HI19] 5-round ? [KM10] M. Luby, C. Rackoff: Quantum distinguisher between the 3-round Feistel cipher and the random permutation (ISIT 2010) [IHMSI19] G. Ito, A. Hosoyamada, R. Matsumoto, Y. Sasaki, T. Iwata: quantum chosen-ciphertext attacks against Feistel ciphers? (CT-RSA 2019) [HI19] A. Hosoyamada, T. Iwata: 4-Round Luby-Rackoff construction is a qPRP. (Asiacrypt 2019)

  25. Other Quantum Query Attacks Speed-up for differential/linear cryptanalysis [KLLN16b] • Key recovery attacks on Feistel by using the quantum • distinguishers [HS18b,IHMSI19] The attack with Kuperberg’s algorithm [BN18] • The attack on the FX construction by Leander and May [LM17] • Speed-up for Demiric-Secluk meet-in-the-middle attack [HS18b, • BNS19] [BN18] X. Bonnetain, M. Naya-Plasencia: Hidden Shift Quantum Cryptanalysis and Implications, Asiacrypt 2018. [HS18b] A. Hosoyamada, Y. Sasaki: Quantum Demiric-Selçuk Meet-in-the-Middle Attacks: Applications to 6-Round Generic Feistel Constructions, SCN 2018. [IHMSI19] G. Ito, A. Hosoyamada, R. Matsumoto, Y. Sasaki, T. Iwata: Quantum Chosen-Ciphertext Attacks Against Feistel Ciphers. CT-RSA 2019. [KLLN16b] M. Kaplan, G. Leurent, A. Leverrier, M. Naya-Plasencia: Quantum Differential and Linear Cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(1), pp. 71-94. [LM17] G. Leander, A. May: Grover Meets Simon - Quantumly Attacking the FX-construction. Asiacrypt 2017. [BNS19] X. Bonnetain, M. Naya-Plasencia, A. Schrottenloher: Quantum Security Analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), pp. 55-93.

  26. Attacks with Classical Query + Quantum Computation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

406 views • 38 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation. Mayuresh Anand Motivation Mayuresh Anand, Ehsan Ebrahimi Targhi, Gelo Noel Tabia,

235 views • 22 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch Hardware Enclaves A trusted component in an untrusted system Protected memory isolates enclave from compromised OS Untrusted System Enclave

505 views • 34 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides
Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20,

Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20,

Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20, 2017 1 Classic Ciphers Consider a cipher where we substitute each letter of the alphabet with a different letter of the same alphabet. We call such a

281 views • 3 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Post-Quantum Protecting the worlds information Cyber Security Issues to be considered when

Post-Quantum Protecting the worlds information Cyber Security Issues to be considered when

Post-Quantum Protecting the worlds information Cyber Security Issues to be considered when Implementing Fintech Solutions Contents Four Major Threats When Communicating Online

735 views • 26 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv:

Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv:

Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv: 1. Orjlvwlfv: - Fodvv olvw - Vboodexv 2. Wkh Pdwk 3. Zkdw lv Fubswrjudskb 4. Vrph Fodvvlfdo Fubswrvbvwhpv Cryptography Course number: 4003-482

484 views • 21 slides
Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II http://www.cl.cam.ac.uk/teaching/1213/SecurityII/ 1 Related textbooks Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC,

887 views • 39 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Cryptanalysis of EAX Prime Kazuhiko Minematsu, NEC Corporation Stefan Lucks, Bauhaus

Cryptanalysis of EAX Prime Kazuhiko Minematsu, NEC Corporation Stefan Lucks, Bauhaus

Cryptanalysis of EAX Prime Kazuhiko Minematsu, NEC Corporation Stefan Lucks, Bauhaus Universitt Weimar Hiraku Morita, Nagoya University Tetsu Iwata, Nagoya University DIAC, Directions in Authenticated Ciphers July 5 6, 2012,

336 views • 22 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides

More recommend