quantum-secure symmetric-key cryptography based … · quantum-secure symmetric-key cryptography...

Quantum-secure symmetric-key cryptography based on Hidden Shifts

arXiv:1610.01187

Gorjan AlagicQMATH, Department of Mathematical Sciences

University of Copenhagen

Alexander RussellDepartment of Computer Science & Engineering

University of Connecticut

quantum computation + cryptography

Typical post-quantum crypto:

Classical crypto in quantum world:

Fully-quantum crypto:

classicalquantum

adversary cryptosystem

classicalquantum


quantum


Classical functions on a quantum computer

Let 𝑓: 0,1 𝑛 → 0,1 𝑚 be some function.

Quantum generalizes classical, so we can implement 𝑓 on our quantum computer. How?

1. 𝑥, 𝑦 ↦ (𝑥, 𝑦 ⊕ 𝑓 𝑥 ) [turn into reversible function]

2. 𝑥 𝑦 ↦ 𝑥 |𝑦 ⊕ 𝑓 𝑥 ⟩ [run circuit on your quantum computer]

But wait… now we can plug in non-classical inputs:

𝑥,𝑦

𝛼𝑥𝑦 𝑥 𝑦 ↦

𝑥,𝑦

𝛼𝑥𝑦 𝑥 |𝑦 ⊕ 𝑓 𝑥 ⟩

E.g., can prepare uniform superposition of values:

quantum access?

(𝑥, 𝑓 𝑥 )for random 𝑥

??

𝑥

𝑥 |𝑓 𝑥 ⟩

Recall CPA:

• classically: implements the map: 𝑥 ↦ 𝑬𝒏𝒄𝑘 𝑥 ;

• what happens if 𝐴 can run this map quantumly?

• then 𝐴 gets quantum oracle: 𝑥 𝑦 ↦ 𝑥 |𝑦 ⊕ 𝑬𝒏𝒄𝑘 𝑥 ⟩

• … and can run it on non-classical inputs!

Some protocol involving an encryption scheme 𝑬𝒏𝒄,𝑫𝒆𝒄 …

quantum access?

𝐴

𝑬𝒏𝒄𝑘

𝑬𝒏𝒄𝑘

??

𝑥

𝑥 |𝑬𝒏𝒄𝑘 𝑥 ⟩

In some settings, “quantum oracles” make perfect sense:

• public-key encryption: 𝑝𝑘 ↦ encrypt circuit

• hash functions: algorithm

• exposing code: obfuscated circuit

In other settings, this might depend on the model, or the physics:

• private-key encryption (can device act coherently? “frozen smart card” [GHS16])

• authentication and signatures (can user be fooled into signing superposition?)

In any case: the model is of theoretical interest!

reversible circuit

quantum access: is it realistic?

Yes: pseudorandomness still exists!

[GGM84] construction yields PRFs {𝑓𝑘} which are “quantum oracle” – secure [Zha12].

Maybe everything is ok, even in this model?

is *anything* secure in this model?

Authentication [BZ13]:• Uniformly random key 𝑘 for 𝑓𝑘 ;• 𝐌𝐀𝐂𝑘 𝑚 = 𝑓𝑘 𝑚 .

Encryption [BZ13]:• Uniformly random 𝑘 for 𝑓𝑘 ;• 𝐄𝐧𝐜𝑘 𝑚 = 𝑟, 𝑓𝑘 𝑟 ⊕𝑚 .

“Simplest block cipher” [EM97, DKS11]:

1. Fix public, random permutation 𝑃: 0,1 𝑛 → 0,1 𝑛;

2. Uniformly random key: 𝑘 ∈𝑅 0,1 𝑛;

3. Encrypt: 𝐸𝑘 𝑥 = 𝑃 𝑥 ⊕ 𝑘 ⊕ 𝑘 .

Security:

• 𝐸𝑘 is strongly pseudorandom (even if adversary has 𝑃, 𝑃−1, 𝐸𝑘, 𝐸𝑘−1.)

• ⇒ can’t decrypt;

• ⇒ can’t forge input/output pairs, etc.

𝑃

𝑘 𝑘

𝑥 𝐸𝑘(𝑥)

quantum oracle attacks: an example

simple predecessor to ShorGiven:• oracle access to 𝑓;• Promise ∃𝒌 s.t. 𝑓 𝑥 = 𝑓(𝑦) iff 𝑦 = 𝑥 ⊕ 𝒌;Output:• 𝒌

“Simplest block cipher” [EM97, DKS11]:

𝐸𝑘 𝑥 = 𝑃 𝑥 ⊕ 𝑘 ⊕ 𝑘 .

Quantum attack [KM12]:

1. Form oracle 𝑓 𝑥 = 𝑃 𝑥 ⊕ 𝐸𝑘 𝑥 ;

2. Apply Simon’s algorithm on 𝑓 and output result.

Why does it work? 𝑓 𝑥 = 𝑃 𝑥 ⊕ 𝑃 𝑥 ⊕ 𝑘 ⊕ 𝑘 = 𝑓(𝑥 ⊕ 𝑘)

This is Simon’s promise ⇒ attack will output 𝑘!

Devastating: complete key recovery with only 𝒪(𝑛) queries, space and time!

Simple variants also break: 3-round Feistel [KM10], Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … [KLLN16, SS16].

quantum oracle attacks: an example

𝑃

𝑘 𝑘

𝑥 𝐸𝑘(𝑥)

Hidden Shift Problem (HS). Fix a finite group 𝐺. Given oracles for injective 𝑓, 𝑔: 𝐺 → 𝑆and a promise that ∃ 𝑠 ∈ 𝐺 such that 𝑓 𝑥 = 𝑔(𝑥 ⋅ 𝑠) for all 𝑥 ∈ 𝐺, output 𝑠.

The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …

• if viewed in a certain way, all the attacks…

• first build a pair of shifted functions: 𝑓 𝑥 = 𝑔(𝑥 ⊕ 𝑘)…

• … and then apply Simon’s algorithm to 𝑓 𝑥 ⊕ 𝑔(𝑥).

𝒇 𝒈

what is really at the core: hidden shift

well-known to quantum algorithms community!

Classically: requires exponentially-many queries [in 𝑛 = log( 𝐺 ) ].

Quantumly: efficiently solvable for 𝐺 = ℤ2𝑛 (Simon).

For most other groups, appears to be hard.

Cyclic groups: (e.g., ℤ2𝑛)

• best quantum algorithm takes 2𝒪 𝑛 time [Kup03].

• only idea we have (“coset sampling”) : if it works, then UniqueSVP ∈ BQP [Reg02].

Symmetric groups: (i.e., 𝑆𝑛)

• no subexp algorithms known;

• coset sampling unlikely to give even subexp algorithms [MR05, MRS07].

hidden shift problem

Hidden Shift Problem (HS). Fix a finite group 𝐺. Given oracles for injective 𝑓, 𝑔: 𝐺 → 𝑆and a promise that ∃ 𝑠 ∈ 𝐺 such that 𝑓 𝑥 = 𝑔(𝑥 ⋅ 𝑠) for all 𝑥 ∈ 𝐺, output 𝑠.


Generic fix:

• select an exponentially-large group (family) 𝐺 (e.g., cyclic ℤ2n, dihedral 𝐷𝑚, symmetric 𝑆𝑛, Lie-type 𝑆𝐿2(𝔽𝑞), … )

• replace input/output spaces with 𝐺 (or a power of 𝐺).

• replace bitwise XOR operation with group operation on 𝐺.

Sanity check [AH17]:

• this does not affect classical security…

• … or classical-access security against quantum adversaries.

hidden shift crypto


Generic fix:

• select an exponentially-large group (family) 𝐺 (e.g., cyclic ℤ2n, dihedral 𝐷𝑚, symmetric 𝑆𝑛, Lie-type 𝑆𝐿2(𝔽𝑞), …



Example 1: Even-Mansour.

1. Fix public, random permutation 𝑃: 𝐺 → 𝐺;

2. Select key: 𝑘 ∈𝑅 𝐺;

3. Encrypt: 𝐸𝑘 𝑥 = 𝑃 𝑥 ⋅ 𝑘 ⋅ 𝑘 .

𝑃

𝑘 𝑘

𝑥 𝐸𝑘(𝑥)⋅ ⋅

hidden shift crypto

⋅ : 𝐺 × 𝐺 → 𝐺


Generic fix:




Example 2: Feistel network.

1. Choose pseudorandom function 𝑅: 0,1 𝑛 × 𝐺 → 𝐺;

2. Choose keys 𝑘𝑗 ∈𝑅 0,1 𝑛, set 𝑅𝑗 ≔ 𝑅𝑘𝑗;

3. Build pseudorandom permutation on 𝐺 × 𝐺:

R1

R2

R3

+

+

+

⋅

⋅

⋅

hidden shift crypto

⋅ : 𝐺 × 𝐺 → 𝐺


Generic fix:




Example 3: Encrypted-CBC-MAC.

1. Fix keyed, pseudorandom permutation 𝐸: 0,1 𝑛 × 𝐺 → 𝐺;

2. Select key pair: 𝑘, 𝑘1 ∈𝑅 0,1 𝑛;

3. Decompose message 𝑚 ∈ 𝐺𝑙 into blocks 𝑚𝑗 ∈ 𝐺.

Ek Ek … Ek Ek’+ +⋅ ⋅ ⋅1

hidden shift crypto

⋅ : 𝐺 × 𝐺 → 𝐺

Is this “generic fix” a good idea?

1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.

Theorem 1. The Hidden Shift Problem is random self-reducible.

main results



• randomized version “RHS” where 𝑓 is random and 𝑔 is a shift;

• QPT = quantum polynomial-time algorithm.

Proof idea:

Use the “1/poly-fraction” QPT to explore the entire space of instances, by:

1. randomizing shifts by pre-composing 𝑓 (but not 𝑔) with a random shift;

2. randomize outputs by post-composing both 𝑓 and 𝑔 with a qPRF;

3. repeat with fresh randomness, and a fresh qPRF key poly-many times;

4. test any outputs of the QPT by random sampling and checking.

Theorem 1. RHS is random self-reducible. That is, if there exists a QPT which solves RHS for a 1/poly-fraction of inputs, then there exists a QPT which solves RHS and HS for all but a negligible fraction of inputs.

main results



Theorem 2. The decision and search version of HS are equivalent.

main results



Decision version (DRHS). Decide: (i.) 𝑓 is random, 𝑔 is a shift, or (ii.) 𝑓, 𝑔 are random.

Proof idea:

RHS ⇒ DRHS is obvious (note: can amplify here.)

DRHS ⇒ RHS. Descend subgroup tower 𝐺𝑚 ≥ 𝐺𝑚−1 ≥ ⋯ ≥ 𝐺1 recursively.

1. for each transversal element 𝛼, call DRHS on 𝑓 and 𝑔 ∘ 𝐿𝛼 restricted to 𝐺𝑚−1;

2. exactly one value of 𝛼 (say, 𝛽𝑚) will result in “shift;”

3. recursively call algorithm on next level down with restrictions of 𝑓 and 𝑔 ∘ 𝐿𝛽𝑚;

4. output product 𝛽𝑚𝛽𝑚−1⋯𝛽1.

Theorem 2. Suppose 𝐺 has an efficient subgroup series (e.g., ℤ2𝑛 or 𝑆𝑛.) Then there exists a QPT* for DRHS if and only if there exists a QPT* for RHS.

* - with at most 1/poly completeness and soundness error

main results


2. It frustrates all known Simon attacks.

By our theorems + previous results, this would yield:

• (worst-case) quantum algorithm for Hidden Shift;

• (worst-case) quantum algorithm for Hidden Subgroup Problem;

• (over ℤ𝑑) possible poly-time quantum attacks on lattice crypto [Regev02];

• (over 𝑆𝑛) simple poly-time quantum algorithms for Graph Isomorphism;

• (over 𝑆𝑛) efficient attacks on “known-code” version of McEliece [DMR10].

The Simon attack on the Hidden Shift variants of all aforementioned schemes requires a subroutine for efficiently solving the RHS problem over the relevant group family.

main results


3. In some cases, we can prove security reductions.

Theorem 3 [AR16]. Under the HS assumption, the Hidden Shift Even-Mansour cipher is pseudorandom.

HS assumption: there does not exist a polynomial-time quantum algorithm for the Hidden Shift problem which succeeds on all instances.

Theorem 4 [AR16]. Under the HS assumption, the Hidden Shift Encrypted-CBC-MAC is collision-free.

main results

In the “quantum oracle” security model…

• previous results: many standard schemes (Even-Mansour, Feistel, CBC-MAC, etc.) are broken;

• we identified an easy generic patch: replace bitwise XOR with modular addition;

• quantum-resistance of resulting schemes is connected to Hidden Shift and Hidden Subgroup Problem;

• … in some cases via rigorous security reductions;

• this crypto view on HS and HSP led to some new results on their algorithmic hardness!

What’s next?

• what else is broken in this model?

• can HS or HSP serve as a basis for other quantum-secure crypto?

• gain confidence in our security notions for encryption, authentication, signatures, etc.

Thanks!

conclusions

quantum-secure symmetric-key cryptography based … · quantum-secure symmetric-key cryptography...

Documents