Quantum-secure symmetric-key cryptography based on Hidden Shifts - - PowerPoint PPT Presentation

β–Ά
quantum secure symmetric key cryptography based on hidden
SMART_READER_LITE
LIVE PREVIEW

Quantum-secure symmetric-key cryptography based on Hidden Shifts - - PowerPoint PPT Presentation

Jan 13, 2024 206 likes β€’419 views

Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic Alexander Russell QMATH, Department of Mathematical Sciences Department of Computer Science & Engineering University of Copenhagen University of Connecticut

slide-1
SLIDE 1

Quantum-secure symmetric-key cryptography based on Hidden Shifts

arXiv:1610.01187

Gorjan Alagic

QMATH, Department of Mathematical Sciences University of Copenhagen

Alexander Russell

Department of Computer Science & Engineering University of Connecticut

slide-2
SLIDE 2

quantum computation + cryptography

Typical post-quantum crypto: Classical crypto in quantum world: Fully-quantum crypto:

classical quantum

adversary cryptosystem

classical quantum

adversary cryptosystem

quantum

adversary cryptosystem

slide-3
SLIDE 3

Classical functions on a quantum computer Let 𝑔: 0,1 π‘œ β†’ 0,1 𝑛 be some function. Quantum generalizes classical, so we can implement 𝑔 on our quantum computer. How? 1.

𝑦, 𝑧 ↦ (𝑦, 𝑧 βŠ• 𝑔 𝑦 )

[turn into reversible function] 2.

𝑦 𝑧 ↦ 𝑦 |𝑧 βŠ• 𝑔 𝑦 ⟩

[run circuit on your quantum computer] But wait… now we can plug in non-classical inputs:

෍

𝑦,𝑧

𝛽𝑦𝑧 𝑦 𝑧 ↦ ෍

𝑦,𝑧

𝛽𝑦𝑧 𝑦 |𝑧 βŠ• 𝑔 𝑦 ⟩

E.g., can prepare uniform superposition of values:

quantum access?

(𝑦, 𝑔 𝑦 ) for random 𝑦 ?? ෍

𝑦

𝑦 |𝑔 𝑦 ⟩

slide-4
SLIDE 4

Recall CPA:

  • classically:

implements the map: 𝑦 ↦ 𝑭𝒐𝒅𝑙 𝑦 ;

  • what happens if 𝐡 can run this map quantumly?
  • then 𝐡 gets quantum oracle: 𝑦 𝑧 ↦ 𝑦 |𝑧 βŠ• 𝑭𝒐𝒅𝑙 𝑦 ⟩
  • … and can run it on non-classical inputs!

Some protocol involving an encryption scheme 𝑭𝒐𝒅, 𝑬𝒇𝒅 …

quantum access?

𝐡

𝑭𝒐𝒅𝑙 𝑭𝒐𝒅𝑙 ?? ෍

𝑦

𝑦 |𝑭𝒐𝒅𝑙 𝑦 ⟩

slide-5
SLIDE 5

In some settings, β€œquantum oracles” make perfect sense:

  • public-key encryption: π‘žπ‘™ ↦ encrypt circuit
  • hash functions: algorithm
  • exposing code: obfuscated circuit

In other settings, this might depend on the model, or the physics:

  • private-key encryption (can device act coherently? β€œfrozen smart card” [GHS16])
  • authentication and signatures (can user be fooled into signing superposition?)

In any case: the model is of theoretical interest! reversible circuit

quantum access: is it realistic?

slide-6
SLIDE 6

Yes: pseudorandomness still exists! [GGM84] construction yields PRFs {𝑔

𝑙} which are β€œquantum oracle” – secure [Zha12].

Maybe everything is ok, even in this model?

is *anything* secure in this model?

Authentication [BZ13]:

  • Uniformly random key 𝑙 for 𝑔

𝑙 ;

  • 𝐍𝐁𝐃𝑙 𝑛 = 𝑔

𝑙 𝑛 .

Encryption [BZ13]:

  • Uniformly random 𝑙 for 𝑔

𝑙 ;

  • 𝐅𝐨𝐝𝑙 𝑛 = 𝑠, 𝑔

𝑙 𝑠 βŠ• 𝑛 .

slide-7
SLIDE 7

β€œSimplest block cipher” [EM97, DKS11]:

  • 1. Fix public, random permutation 𝑄: 0,1 π‘œ β†’ 0,1 π‘œ;
  • 2. Uniformly random key: 𝑙 βˆˆπ‘† 0,1 π‘œ;
  • 3. Encrypt: 𝐹𝑙 𝑦 = 𝑄 𝑦 βŠ• 𝑙 βŠ• 𝑙 .

Security:

  • 𝐹𝑙 is strongly pseudorandom (even if adversary has 𝑄, π‘„βˆ’1, 𝐹𝑙, 𝐹𝑙

βˆ’1.)

  • β‡’ can’t decrypt;
  • β‡’ can’t forge input/output pairs, etc.

𝑄

𝑙 𝑙

𝑦 𝐹𝑙(𝑦)

quantum oracle attacks: an example

slide-8
SLIDE 8

simple predecessor to Shor Given:

  • racle access to 𝑔;
  • Promise βˆƒπ’ s.t. 𝑔 𝑦 = 𝑔(𝑧) iff 𝑧 = 𝑦 βŠ• 𝒍;

Output:

  • 𝒍

β€œSimplest block cipher” [EM97, DKS11]: 𝐹𝑙 𝑦 = 𝑄 𝑦 βŠ• 𝑙 βŠ• 𝑙 . Quantum attack [KM12]:

  • 1. Form oracle 𝑔 𝑦 = 𝑄 𝑦 βŠ• 𝐹𝑙 𝑦 ;
  • 2. Apply Simon’s algorithm on 𝑔 and output result.

Why does it work? 𝑔 𝑦 = 𝑄 𝑦 βŠ• 𝑄 𝑦 βŠ• 𝑙 βŠ• 𝑙 = 𝑔(𝑦 βŠ• 𝑙) This is Simon’s promise β‡’ attack will output 𝑙! Devastating: complete key recovery with only 𝒫(π‘œ) queries, space and time! Simple variants also break: 3-round Feistel [KM10], Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … [KLLN16, SS16].

quantum oracle attacks: an example

𝑄

𝑙 𝑙

𝑦 𝐹𝑙(𝑦)

slide-9
SLIDE 9

Hidden Shift Problem (HS). Fix a finite group 𝐻. Given oracles for injective 𝑔, 𝑕: 𝐻 β†’ 𝑇 and a promise that βˆƒ 𝑑 ∈ 𝐻 such that 𝑔 𝑦 = 𝑕(𝑦 β‹… 𝑑) for all 𝑦 ∈ 𝐻, output 𝑑. The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …

  • if viewed in a certain way, all the attacks…
  • first build a pair of shifted functions: 𝑔 𝑦 = 𝑕(𝑦 βŠ• 𝑙)…
  • … and then apply Simon’s algorithm to 𝑔 𝑦 βŠ• 𝑕(𝑦).

π’ˆ 𝒉

what is really at the core: hidden shift

well-known to quantum algorithms community!

slide-10
SLIDE 10

Classically: requires exponentially-many queries [in π‘œ = log( 𝐻 ) ]. Quantumly: efficiently solvable for 𝐻 = β„€2

π‘œ (Simon).

For most other groups, appears to be hard. Cyclic groups: (e.g., β„€2π‘œ)

  • best quantum algorithm takes 2𝒫

π‘œ time [Kup03].

  • nly idea we have (β€œcoset sampling”) : if it works, then UniqueSVP ∈ BQP [Reg02].

Symmetric groups: (i.e., π‘‡π‘œ)

  • no subexp algorithms known;
  • coset sampling unlikely to give even subexp algorithms [MR05, MRS07].

hidden shift problem

Hidden Shift Problem (HS). Fix a finite group 𝐻. Given oracles for injective 𝑔, 𝑕: 𝐻 β†’ 𝑇 and a promise that βˆƒ 𝑑 ∈ 𝐻 such that 𝑔 𝑦 = 𝑕(𝑦 β‹… 𝑑) for all 𝑦 ∈ 𝐻, output 𝑑.

slide-11
SLIDE 11

The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix:

  • select an exponentially-large group (family) 𝐻 (e.g., cyclic β„€2n, dihedral 𝐸𝑛, symmetric π‘‡π‘œ, Lie-type 𝑇𝑀2(π”Ύπ‘Ÿ), … )
  • replace input/output spaces with 𝐻 (or a power of 𝐻).
  • replace bitwise XOR operation with group operation on 𝐻.

Sanity check [AH17]:

  • this does not affect classical security…
  • … or classical-access security against quantum adversaries.

hidden shift crypto

slide-12
SLIDE 12

The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix:

  • select an exponentially-large group (family) 𝐻 (e.g., cyclic β„€2n, dihedral 𝐸𝑛, symmetric π‘‡π‘œ, Lie-type 𝑇𝑀2(π”Ύπ‘Ÿ), …
  • replace input/output spaces with 𝐻 (or a power of 𝐻).
  • replace bitwise XOR operation with group operation on 𝐻.

Example 1: Even-Mansour.

  • 1. Fix public, random permutation 𝑄: 𝐻 β†’ 𝐻;
  • 2. Select key: 𝑙 βˆˆπ‘† 𝐻;
  • 3. Encrypt: 𝐹𝑙 𝑦 = 𝑄 𝑦 β‹… 𝑙 β‹… 𝑙 .

𝑄

𝑙 𝑙

𝑦 𝐹𝑙(𝑦)

β‹… β‹… hidden shift crypto β‹…

: 𝐻 Γ— 𝐻 β†’ 𝐻

slide-13
SLIDE 13

The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix:

  • select an exponentially-large group (family) 𝐻 (e.g., cyclic β„€2n, dihedral 𝐸𝑛, symmetric π‘‡π‘œ, Lie-type 𝑇𝑀2(π”Ύπ‘Ÿ), …
  • replace input/output spaces with 𝐻 (or a power of 𝐻).
  • replace bitwise XOR operation with group operation on 𝐻.

Example 2: Feistel network.

  • 1. Choose pseudorandom function 𝑆: 0,1 π‘œ Γ— 𝐻 β†’ 𝐻;
  • 2. Choose keys π‘™π‘˜ βˆˆπ‘† 0,1 π‘œ, set π‘†π‘˜ ≔ π‘†π‘™π‘˜;
  • 3. Build pseudorandom permutation on 𝐻 Γ— 𝐻:

R1 R2 R3

+ + + β‹… β‹… β‹… hidden shift crypto β‹…

: 𝐻 Γ— 𝐻 β†’ 𝐻

slide-14
SLIDE 14

The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … Generic fix:

  • select an exponentially-large group (family) 𝐻 (e.g., cyclic β„€2n, dihedral 𝐸𝑛, symmetric π‘‡π‘œ, Lie-type 𝑇𝑀2(π”Ύπ‘Ÿ), …
  • replace input/output spaces with 𝐻 (or a power of 𝐻).
  • replace bitwise XOR operation with group operation on 𝐻.

Example 3: Encrypted-CBC-MAC.

  • 1. Fix keyed, pseudorandom permutation 𝐹: 0,1 π‘œ Γ— 𝐻 β†’ 𝐻;
  • 2. Select key pair: 𝑙, 𝑙1 βˆˆπ‘† 0,1 π‘œ;
  • 3. Decompose message 𝑛 ∈ π»π‘š into blocks π‘›π‘˜ ∈ 𝐻.

Ek Ek

…

Ek Ek’

+ + β‹… β‹… β‹…

1

hidden shift crypto β‹…

: 𝐻 Γ— 𝐻 β†’ 𝐻

slide-15
SLIDE 15

Is this β€œgeneric fix” a good idea?

  • 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.

Theorem 1. The Hidden Shift Problem is random self-reducible.

main results

slide-16
SLIDE 16

Is this β€œgeneric fix” a good idea?

  • 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.
  • randomized version β€œRHS” where 𝑔 is random and 𝑕 is a shift;
  • QPT = quantum polynomial-time algorithm.

Proof idea: Use the β€œ1/poly-fraction” QPT to explore the entire space of instances, by:

  • 1. randomizing shifts by pre-composing 𝑔 (but not 𝑕) with a random shift;
  • 2. randomize outputs by post-composing both 𝑔 and 𝑕 with a qPRF;
  • 3. repeat with fresh randomness, and a fresh qPRF key poly-many times;
  • 4. test any outputs of the QPT by random sampling and checking.

Theorem 1. RHS is random self-reducible. That is, if there exists a QPT which solves RHS for a 1/poly-fraction of inputs, then there exists a QPT which solves RHS and HS for all but a negligible fraction of inputs.

main results

slide-17
SLIDE 17

Is this β€œgeneric fix” a good idea?

  • 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.

Theorem 2. The decision and search version of HS are equivalent.

main results

slide-18
SLIDE 18

Is this β€œgeneric fix” a good idea?

  • 1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.

Decision version (DRHS). Decide: (i.) 𝑔 is random, 𝑕 is a shift, or (ii.) 𝑔, 𝑕 are random. Proof idea: RHS β‡’ DRHS is obvious (note: can amplify here.) DRHS β‡’ RHS. Descend subgroup tower 𝐻𝑛 β‰₯ π»π‘›βˆ’1 β‰₯ β‹― β‰₯ 𝐻1 recursively.

  • 1. for each transversal element 𝛽, call DRHS on 𝑔 and 𝑕 ∘ 𝑀𝛽 restricted to π»π‘›βˆ’1;
  • 2. exactly one value of 𝛽 (say, 𝛾𝑛) will result in β€œshift;”
  • 3. recursively call algorithm on next level down with restrictions of 𝑔 and 𝑕 ∘ 𝑀𝛾𝑛;
  • 4. output product π›Ύπ‘›π›Ύπ‘›βˆ’1 β‹― 𝛾1.

Theorem 2. Suppose 𝐻 has an efficient subgroup series (e.g., β„€2π‘œ or π‘‡π‘œ.) Then there exists a QPT* for DRHS if and only if there exists a QPT* for RHS.

* - with at most 1/poly completeness and soundness error

main results

slide-19
SLIDE 19

Is this β€œgeneric fix” a good idea?

  • 2. It frustrates all known Simon attacks.

By our theorems + previous results, this would yield:

  • (worst-case) quantum algorithm for Hidden Shift;
  • (worst-case) quantum algorithm for Hidden Subgroup Problem;
  • (over ℀𝑒) possible poly-time quantum attacks on lattice crypto [Regev02];
  • (over π‘‡π‘œ) simple poly-time quantum algorithms for Graph Isomorphism;
  • (over π‘‡π‘œ) efficient attacks on β€œknown-code” version of McEliece [DMR10].

The Simon attack on the Hidden Shift variants of all aforementioned schemes requires a subroutine for efficiently solving the RHS problem over the relevant group family.

main results

slide-20
SLIDE 20

Is this β€œgeneric fix” a good idea?

  • 3. In some cases, we can prove security reductions.

Theorem 3 [AR16]. Under the HS assumption, the Hidden Shift Even-Mansour cipher is pseudorandom. HS assumption: there does not exist a polynomial-time quantum algorithm for the Hidden Shift problem which succeeds on all instances. Theorem 4 [AR16]. Under the HS assumption, the Hidden Shift Encrypted-CBC-MAC is collision-free.

main results

slide-21
SLIDE 21

In the β€œquantum oracle” security model…

  • previous results: many standard schemes (Even-Mansour, Feistel, CBC-MAC, etc.) are broken;
  • we identified an easy generic patch: replace bitwise XOR with modular addition;
  • quantum-resistance of resulting schemes is connected to Hidden Shift and Hidden Subgroup Problem;
  • … in some cases via rigorous security reductions;
  • this crypto view on HS and HSP led to some new results on their algorithmic hardness!

What’s next?

  • what else is broken in this model?
  • can HS or HSP serve as a basis for other quantum-secure crypto?
  • gain confidence in our security notions for encryption, authentication, signatures, etc.

Thanks!

conclusions