beyond post–quantum cryptographymzhandry/docs/talks/beyondpqc.slides.pdfbeyond post -quantum...
TRANSCRIPT
![Page 1: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/1.jpg)
BEYOND POST–QUANTUM CRYPTOGRAPHY Mark Zhandry – Stanford University Joint work with Dan Boneh
![Page 2: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/2.jpg)
Classical Cryptography
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 3: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/3.jpg)
Post-Quantum Cryptography
All communication stays classical
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 4: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/4.jpg)
Beyond Post-Quantum Cryptography Eventually, all computers will be quantum
Adversary may use quantum interactions ⟶ need new security definitions
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 5: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/5.jpg)
Example: Pseudorandom Functions
Func(X,Y) F
PRF is secure if
Choose random bit b
[GGM’84]
q queries
PRF
Classical security:
Check that b=b’
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 6: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/6.jpg)
Example: Pseudorandom Functions
Func(X,Y) F
PRF is secure if
Choose random bit b
q queries
PRF
Post-quantum security:
Check that b=b’
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 7: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/7.jpg)
Example: Pseudorandom Functions
Func(X,Y) F
PRF is secure if
Choose random bit b
q queries
PRF
Quantum security:
Check that b=b’
Intro QROM PRFs MACs Signatures Encryption Conclusion
[Aar’09]
![Page 8: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/8.jpg)
Post-Quantum vs Full Quantum Security
In post-quantum setting, security games generally don’t change, only adversary’s computational power ⟶ Can often replace primitives with quantum- immune primitives and have classical proof carry through For full quantum security, security game itself is quantum ⟶ Now, classical proofs often break down ⟶ Need new tools to prove security
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 9: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/9.jpg)
Non-interactive Security Games If no interaction, security game does not change ⟶ no difference between post-quantum and full quantum security Examples: • One-way functions • Pseudorandom generators • Collision-resistant hash functions In these cases, classical proofs often do carry through • Example:
quantum-secure OWFs quantum-secure PRGs
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 10: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/10.jpg)
This Talk A First Step: The Quantum Random Oracle Model
[BDFLSZ’11, Zha’12a]
Full Quantum Security: • Quantum-secure PRFs (or quantum PRFs) [Zha’12b]
• Quantum-secure MACs [BZ’12]
• Quantum-secure Signatures and Encryption [BZ’13]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 11: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/11.jpg)
Quantum Random Oracle Model
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 12: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/12.jpg)
Quantum Random Oracle Model A first step towards full quantum security Honest parties still classical (i.e. post-quantum world) Model hash function as a random oracle that accepts quantum queries • Captures ability of adversary to evaluate hash function on
superposition of inputs
All other interaction remains classical
[BDFLSZ’11]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 13: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/13.jpg)
Quantum Random Oracle Model
H
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 14: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/14.jpg)
Quantum Random Oracle Model Proven secure [BDFLSZ’11, Zha’12a]
• Several signature schemes (inc. GPV) • CPA-secure encryption • GPV identity-based encryption Not yet proven • Signatures from identification protocols (Fiat-Shamir) • CCA Encryption from weaker notions
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 15: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/15.jpg)
Full Quantum Security Quantum-secure PRFs: • PRFs: building block for most of symmetric crypto
• PRPs (e.g. Luby-Rankoff), encryption schemes, MACs
Quantum-secure MACs: • PRF MAC • Natural question: quantum PRF quantum-secure MAC?
Quantum-secure Signatures and Encryption • From generic assumptions? • Security of schemes in the literature?
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 16: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/16.jpg)
Quantum PRFs [Zha’12b]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 17: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/17.jpg)
Separation
PRF Quantum PRF < Theorem: If post-quantum PRFs exist, then there are post-quantum PRFs that are not quantum PRFs
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 18: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/18.jpg)
Proof
F
F F’
, prime
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 19: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/19.jpg)
Proof
Lemma 1: If F is post-quantum secure, then so is F’.
As long as for all queries , this looks like a random oracle Probability this fails: O(q2(log N)/N)
F’ H’
H
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 20: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/20.jpg)
F’(x+p) = F’(x) Quantum queries can find p [BL’95]
Once we know p, easy to distinguish F’ from random
Proof
Lemma 2: Either F or F’ are not quantum secure.
Periodic!
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 21: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/21.jpg)
How to Construct Quantum PRFs Hope that classical PRFs work in quantum world:
• From quantum-secure pseudorandom generators [GGM’84]
• From quantum-secure pseudorandom synthesizers [NR’95]
• Directly from lattices [BPR’11]
Classical proofs do not carry over into the quantum setting ⟶ Need new proof techniques
Example: GGM
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 22: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/22.jpg)
Pseudorandom Generators
s
G0(s) G1(s) y
Indistinguishable for Quantum Machines
G
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 23: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/23.jpg)
The GGM Construction
x0 ⟶
x1 ⟶
x2 ⟶
G
G G
G G G G
k
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 24: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/24.jpg)
Original Security Proof Step 1: Hybridize over levels of tree
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 25: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/25.jpg)
Original Security Proof: Step 1
Hybrid 0
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 26: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/26.jpg)
Original Security Proof: Step 1
Hybrid 1
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 27: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/27.jpg)
Original Security Proof: Step 1
Hybrid 2
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 28: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/28.jpg)
Original Security Proof: Step 1
Hybrid 3
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 29: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/29.jpg)
Original Security Proof: Step 1
Hybrid n
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 30: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/30.jpg)
Original Security Proof: Step 1
PRF distinguisher will distinguish two adjacent hybrids
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 31: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/31.jpg)
Original Security Proof: Step 1
PRF distinguisher will distinguish two adjacent hybrids
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 32: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/32.jpg)
Original Security Proof Step 1: Hybridize over levels of tree
Step 2: Simulate hybrids using q samples
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 33: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/33.jpg)
Original Security Proof: Step 2
Simulate
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 34: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/34.jpg)
Original Security Proof: Step 2
Simulate
Put samples here
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 35: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/35.jpg)
Original Security Proof: Step 2
Rows are exponentially wide
Problem?
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 36: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/36.jpg)
Original Security Proof: Step 2
Adversary only queries polynomial number of points
Only need to fill active nodes
Active node: value used to answer query
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 37: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/37.jpg)
Original Security Proof Step 1: Hybridize over levels of tree
Step 2: Simulate hybrids using q samples
Step 3: Pseudorandomness of one PRG sample implies pseudorandomness of q samples
✓
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 38: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/38.jpg)
Original Security Proof: Step 3
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 39: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/39.jpg)
Original Security Proof Step 1: Hybridize over levels of tree
Step 2: Simulate hybrids using q samples
Step 3: Pseudorandomness of one PRG sample implies pseudorandomness of q samples
✓
✓
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 40: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/40.jpg)
Quantum Security Proof Attempt Step 1: Hybridize over levels of tree
Step 2: Simulate hybrids using q samples
Step 3: Quantum pseudorandomness of one PRG sample implies quantum pseudorandomness of q samples
✓
X
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 41: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/41.jpg)
Difficulty Simulating Hybrids
Adversary can query on all exponentially-many inputs
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 42: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/42.jpg)
Difficulty Simulating Hybrids
All nodes are active!
Exact simulation requires exponentially-many samples
Need new simulation technique
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 43: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/43.jpg)
A Distribution to Simulate
H:
For all
Any distribution D on values induces a distribution on functions
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 44: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/44.jpg)
A Distribution to Simulate Suppose we could simulate DX approximately using a polynomial number of samples from D:
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 45: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/45.jpg)
Fixing the GGM Proof PRF distinguisher will
distinguish two adjacent hybrids
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 46: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/46.jpg)
Quantum Security Proof Step 1: Hybridize over levels of tree
Step 2: Simulate hybrids approximately using polynomially-many samples
Step 3: Quantum pseudorandomness of one sample implies quantum pseudorandomness of polynomially-many samples
✓
✓
?
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 47: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/47.jpg)
Simulating DX We have r samples:
• poly r
Want to simulate:
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 48: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/48.jpg)
New Tool: Small Range Distributions
For each For each
r samples of D
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 49: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/49.jpg)
Technical Theorem
H:
Theorem: SRrX(D) is
indistinguishable from DX by any q-query quantum algorithm,
except with probability O(q3/r)
q queries
q queries
H:
Not negligible, but good enough for our purposes
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 50: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/50.jpg)
Proving the Technical Theorem Let Observation: Goal: bound First, we’ll need What does this buy us?
Lemma: If A makes q quantum queries, then p is a polynomial in 1/r of degree at most 2q
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 51: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/51.jpg)
Polynomials! Let λ∈[0,1] parameterize a family of oracle distributions Eλ Let A be an oracle algorithm, What if p(λ) is a polynomial of degree d? Markov inequality: Therefore,
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 52: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/52.jpg)
Proving the Technical Theorem Idea: let Eλ = SR1/λ
X(D) ⟶ p(λ) has degree 2q
?
Problem: Eλ only a distribution for λ = 1/r (integer r) ⟶ 0 ≤ p(λ) ≤ 1 only for λ = 1/r ⟶ Need replacement for Markov inequality
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 53: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/53.jpg)
Replacement for Markov Inequality
Lemma: If and p is a degree-d polynomial in 1/r, then for all λ in [0,1]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 54: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/54.jpg)
Proving the Technical Theorem If , then p satisfies the revised Markov inequality with d=2q
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 55: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/55.jpg)
One Final Step Recall definition of SR distribution: How do we pick the ix? • Let R be a drawn from (2q)-wise indep. function family • ix = R(x)
For each
Theorem: (2q)-wise independent functions look like random functions to any q-query quantum algorithm
For each
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 56: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/56.jpg)
Quantum GGM Step 1: Hybridize over levels of tree
Step 2: Simulate hybrids approximately using small range distributions and polynomially-many samples
Step 3: Quantum pseudorandomness of one sample implies quantum pseudorandomness of polynomially-many samples
✓
✓
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 57: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/57.jpg)
Our PRF Results Separation: PRFs ≠ quantum PRFs New tool: small-range distributions Proofs of quantum security for some classical PRF constructions:
• From quantum-secure pseudorandom generators [GGM’84]
• From quantum-secure pseudorandom synthesizers [NR’95]
• Directly from lattices [BPR’11]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 58: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/58.jpg)
Quantum-secure MACs [BZ’12]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 59: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/59.jpg)
Classical Security
Choose random key k
q queries Check:
MAC is secure if
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 60: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/60.jpg)
Post-Quantum Security
Choose random key k
q queries Check:
MAC is secure if
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 61: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/61.jpg)
Quantum Security?
Choose random key k
q queries Check:
MAC is secure if
Too restrictive
Pick random ri
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 62: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/62.jpg)
Quantum Security
Choose random key k
q queries Check:
MAC is secure if
Pick random ri
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 63: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/63.jpg)
Separation
Carries over immediately from PRF separation Also have natural examples where underlying PRF is quantum-secure (Carter-Wegman MAC)
MAC Quantum-secure MAC ≠ Theorem: If post-quantum PRFs exist, then there are post-quantum MACs that are not quantum-secure MACs
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 64: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/64.jpg)
A Simple Classical MAC Let F be a classically secure PRF F is also a classically-secure MAC: S(k,m) = F(k,m) V(k,m,σ) = F(k,m)==σ? Security: Replace F with random oracle ⟶ Adversary can’t tell difference ⟶ Forgeries correspond to input/output pairs of oracle ⟶ Impossible to generate new pairs
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 65: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/65.jpg)
A Simple Quantum-secure MAC? Let F be a quantum-secure PRF Is F also a quantum-secure MAC?
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 66: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/66.jpg)
Security of PRF as a MAC
Choose random key k
q queries Check:
Adversary wins with prob ε
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 67: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/67.jpg)
Security of PRF as a MAC
Choose random oracle H
q queries Check:
Adversary wins with prob ε-negl
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 68: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/68.jpg)
Quantum Oracle Interrogation Allowed q quantum queries to random oracle H Goal: produce q+1 input/output pairs Classical queries: can’t do better than 1/|Y| ⟶ Hard if H outputs super-logarithmically many bits Quantum queries? ⟶ get to “see” entire oracle with a single query
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 69: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/69.jpg)
Single-Bit Outputs Bad news: If |Y|=2 (i.e. single bit output), the oracle interrogation problem is easy.
Theorem([vD’98]): There is an algorithm that makes q quantum queries to any oracle H:X{0,1} and produces 1.99q input/output pairs, with probability 1-negl(q)
Are we in trouble?
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 70: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/70.jpg)
Arbitrary Output Size We exactly characterize the difficulty of the oracle interrogation problem:
Two cases: • log |Y| ≤ (log q)/2: probability is negligibly close to 1 Easy • log |Y| = ω(log q): probability is negligible Hard
Theorem: Any quantum algorithm making q quantum queries to an oracle H:XY solves the oracle interrogation problem with probability at most 1-(1-|Y|-1)q+1. Moreover, there is a quantum algorithm exactly matching this bound.
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 71: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/71.jpg)
Security of PRF as a MAC
Choose random oracle H
q queries Check:
Adversary wins with prob ε-negl
Must be negligible ⟶ ε is negligible
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 72: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/72.jpg)
The Rank Method Fix q, let be final state (before measurement) of quantum algorithm after q queries to H spans some subspace of the overall Hilbert space Let
Lemma: For any goal, the probability of success is at most Rank times the probability of success of the best 0-query algorithm
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 73: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/73.jpg)
Applying the Rank Method Goal: output k=(q+1) input/output pairs Best 0-query algorithm: pick k arbitrary distinct inputs, guess outputs Success prob: (|Y|-1)k = |Y|-(q+1) Only need to bound the rank of any q-query algorithm
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 74: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/74.jpg)
The Rank Method
Lemma: The rank of any algorithm that makes q queries to an oracle H: XY is at most
Exact
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 75: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/75.jpg)
Applying the Rank Method Prob success of any q-query algorithm ≤ Rank * best success prob of 0-query algs
Too big!
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 76: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/76.jpg)
Applying the Rank Method Observation: for any (q+1) inputs, knowing H at other points does not help determine H at these points ⟶ Might as well only query on superpositions of (q+1) points
✓
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 77: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/77.jpg)
Our MAC Results Exact characterization of success probability for quantum oracle interrogation • Developed new general tool: Rank method Quantum-secure MACs: • Quantum-secure PRFs are quantum-secure MACs • A variant of Carter-Wegman is quantum-secure One-time quantum-secure MACs: • Pairwise independence is not enough • 4-wise independence is
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 78: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/78.jpg)
Quantum-Secure Signatures [BZ’13]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 79: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/79.jpg)
Quantum Security
q queries Check:
S is secure if
Pick random ri
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 80: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/80.jpg)
Separation
Sig Quantum-secure Sig ≠ Theorem: If post-quantum signatures exist, then there are post-quantum signatures that are not quantum-secure signatures
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 81: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/81.jpg)
Building Quantum-secure Signatures Hope that existing constructions can be proven secure:
• Lattice schemes [ABB’10,CHKP’10] • Generic constructions (Lamport, Merkle) • RO schemes [GPV’08]
Compilers to boost security?
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 82: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/82.jpg)
One-time QROM Conversion Let (G,S,V) be a classically secure signature scheme Construct new QROM scheme (G,S’,V’) where:
Theorem: If (G,S,V) is one-time post-quantum secure, then (G,S’,V’) is one-time quantum secure in the quantum random oracle model.
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 83: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/83.jpg)
Proof Sketch Start with a one-time adversary for S’: Step 1: Replace H with a SR distribution on t samples. ⟶ S only evaluated on t points Problem: Adversary only generates 2 signatures!
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 84: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/84.jpg)
Proof Sketch Step 2: Sample H(m)
S only evaluated on 1 input! ⟶ One signature must be forgery
measurement
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 85: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/85.jpg)
Measurement Lemma
Lemma: Pr[xA’] ≥ Pr[xA]/k
measurement
measurement partial
measurement
A:
A’:
Results in one of k outcomes
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 86: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/86.jpg)
Proof Sketch Step 2: Sample H(m)
only reduces adversary’s success probability by factor of t
S only evaluated on 1 input! ⟶ One signature must be forgery
Intro QROM PRFs MACs Signatures Encryption Conclusion
measurement
![Page 87: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/87.jpg)
Generalizing to Many-time Security Let be a pairwise independent function family.
Theorem: If (G,S,V) is classically secure, then (G,S’,V’) is quantum secure in the quantum random oracle model.
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 88: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/88.jpg)
Our Signature Constructions Two compilers:
• Post-quantum security Quantum security in the QROM • GPV probabilistic full domain hash
• Post-quantum security + chameleon hash Quantum security
• CHKP’10 signatures • Modification to ABB’10 signatures
GPV in the QROM From generic assumptions:
• Lamport signatures + Merkle signatures • From any hash function
Generalization of Rank theorem
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 89: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/89.jpg)
Quantum-Secure Encryption [BZ’13]
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 90: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/90.jpg)
Quantum Security
, random b
Check b = b’
Quantum secure if
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 91: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/91.jpg)
Encryption Results Classical challenge is required
• Quantum challenge queries lead to unsatisfiable definitions
Separation:
• If classically secure encryption schemes exist, then there are classically secure encryption schemes that are not quantum-secure
Constructions: • Symmetric CCA from quantum-secure PRFs • Public Key CCA from LWE
• Quantum selectively-secure IBE + generic conversion
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 92: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/92.jpg)
Summary of Separation Results
PRF
MAC
Sign
Enc
Classical Security:
≠
Quantum Security:
PRF
MAC
Sign
Enc
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 93: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/93.jpg)
Summary of Positive Results
PRFs
MACs
Signatures
Sym Enc
Pub Enc
Independence Lemma
SR-Distribution Theorem
Rank Method
Measurement Lemma
First quantum proofs for:
Intro QROM PRFs MACs Signatures Encryption Conclusion
![Page 94: BEYOND POST–QUANTUM CRYPTOGRAPHYmzhandry/docs/talks/BeyondPQC.slides.pdfBeyond Post -Quantum Cryptography Eventually, all computers will be quantum . Adversary may use quantum interactions](https://reader034.vdocument.in/reader034/viewer/2022052014/602ab7bd11ae6b304451c3d2/html5/thumbnails/94.jpg)
Future Work Many natural open questions:
• Quantum PRFs ⇒ Quantum PRPs (Luby-Rackoff)? • 3-wise independence enough for 1-time MAC? • Quantum-secure authenticated encryption ⇒ quantum-secure CCA? • Signatures from one-way functions?
More complicated primitives?
• Adaptively secure (H)IBE? • Functional encryption?
Thank you!
Intro QROM PRFs MACs Signatures Encryption Conclusion