Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public...
Transcript of Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public...
![Page 1: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/1.jpg)
Copyright©2018 NTT corp. All Rights Reserved.
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
2018.12.3 Asiacrypt 2018 @ Brisbane
Akinori Hosoyamada (NTT / Nagoya University) and Kan Yasuda(NTT)
![Page 2: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/2.jpg)
2Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 3: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/3.jpg)
3Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 4: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/4.jpg)
4Copyright©2018 NTT corp. All Rights Reserved.
Symmetric-key & quantum: backgrounds
“the security of symmetric key crypto will
not be affected by quantum computers”
![Page 5: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/5.jpg)
5Copyright©2018 NTT corp. All Rights Reserved.
Known quantum attacks:~2010
Classical Quantum
ExhaustiveKey search
𝑂(2𝑛) 𝑂(2𝑛/2)
Collision search 𝑂(2𝑛/2) 𝑂(2𝑛/3)
“It is sufficient to use 2n-bit keys instead of n-bit keys”
![Page 6: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/6.jpg)
6Copyright©2018 NTT corp. All Rights Reserved.
Known attacks : 2018
Classical Quantum
ExhaustiveKey search
𝑂(2𝑛) 𝑂(2𝑛/2)
Collision search 𝑂(2𝑛/2) 𝑂(2𝑛/3)
Key recovery attack against Even-Mansour
𝑂(2𝑛/2) Poly-time
Forgery attackagainst CBC-like MACs
𝑂(2𝑛/2) Poly-time
Note:We assume that quantum oracles are available
![Page 7: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/7.jpg)
7Copyright©2018 NTT corp. All Rights Reserved.
“the security of symmetric key crypto would
not be affected by quantum computers”
Poly-time attack is possible !!・The works by Kuwakado and Morii (ISIT 2010, ISITA 2012)
・The work by Kaplan et al. (CRYPTO 2016)
Symmetric-key & quantum: backgrounds
![Page 8: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/8.jpg)
8Copyright©2018 NTT corp. All Rights Reserved.
“the security of symmetric key crypto would
not be affected by quantum computers”
Poly-time attack is possible !!・The works by Kuwakado and Morii (ISIT 2010, ISITA 2012)
・The work by Kaplan et al. (CRYPTO 2016)
We should study post-quantum
security of symmetric key crypto carefully
Symmetric-key & quantum: backgrounds
![Page 9: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/9.jpg)
9Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 10: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/10.jpg)
10Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 11: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/11.jpg)
11Copyright©2018 NTT corp. All Rights Reserved.
•Reason: Hash functions are public and used
to instantiate QRO (Quantum Random Oracle)
•Many post-quantum public-key schemes are proven to be secure in the quantum random oracle model
Hash-based signature, Key Exchange,…
Post-quantum security requirement for hash
Hash functions should be secure against
quantum superposition query attacks
![Page 12: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/12.jpg)
12Copyright©2018 NTT corp. All Rights Reserved.
•Reason: Hash functions are public and used
to instantiate QRO (Quantum Random Oracle)
•Many post-quantum public-key schemes are proven to be secure in the quantum random oracle model
Hash-based signature, Key Exchange,…
Post-quantum security requirement for hash
Hash functions should be secure against
quantum superposition query attacks
We study security of
typical hash constructions:
Merkle-Damgård with Davies-Meyer
![Page 13: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/13.jpg)
13Copyright©2018 NTT corp. All Rights Reserved.
Typical construction:Merkle-Damgård with Davies Meyer
abcd efgh ijkl
abcd efgh ijkl
Split
messages
h
Function with
Small input/output
h h OutputInitialValue
Merkle-Damgard
Construction
![Page 14: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/14.jpg)
14Copyright©2018 NTT corp. All Rights Reserved.
Typical construction:Merkle-Damgård with Davies Meyer
Block
Cipher
Input 2
Input 1
XOR
Output
Davies-Meyer
Construction
![Page 15: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/15.jpg)
15Copyright©2018 NTT corp. All Rights Reserved.
Typical construction:Merkle-Damgård with Davies Meyer
Block
Cipher
Fix
Input 1
XOR
Output
![Page 16: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/16.jpg)
16Copyright©2018 NTT corp. All Rights Reserved.
Typical construction:Merkle-Damgård with Davies Meyer
Permutation
PInput 1
XOR
Output
![Page 17: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/17.jpg)
17Copyright©2018 NTT corp. All Rights Reserved.
Typical construction:Merkle-Damgård with Davies Meyer
Input 1 Output
![Page 18: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/18.jpg)
18Copyright©2018 NTT corp. All Rights Reserved.
Quantum insecure construction:Even-Mansour cipher
Quantum insecure
Permutation & XOR
![Page 19: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/19.jpg)
19Copyright©2018 NTT corp. All Rights Reserved.
Typical construction: Merkle-Damgård with Davies Meyer
Input 1 Output
Permutation & XOR
Simplified Hash function
![Page 20: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/20.jpg)
20Copyright©2018 NTT corp. All Rights Reserved.
Typical construction: Merkle-Damgård with Davies Meyer
Input 1 Output
Permutation & XOR
Simplified Hash functionIs this
secure????
![Page 21: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/21.jpg)
21Copyright©2018 NTT corp. All Rights Reserved.
Is this
secure???? Simplified Hash function
Typical construction:Merkle-Damgård with Davies Meyer
Input 1 Output
Permutation & XOR
Let’s try to come up with a Poly-time attack !!
![Page 22: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/22.jpg)
22Copyright©2018 NTT corp. All Rights Reserved.
Is this
secure???? Simplified Hash function
Typical construction:Merkle-Damgård with Davies Meyer
Input 1 Output
Permutation & XOR
Let’s try to come up with a Poly-time attack !!
![Page 23: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/23.jpg)
23Copyright©2018 NTT corp. All Rights Reserved.
Is this
secure???? Simplified Hash function
Typical construction:Merkle-Damgård with Davies Meyer
Input 1 Output
Permutation & XOR
Let’s try to come up with a Poly-time attack !!
![Page 24: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/24.jpg)
24Copyright©2018 NTT corp. All Rights Reserved.
It is hard to make poly-time attacks…
Why impossible?
![Page 25: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/25.jpg)
25Copyright©2018 NTT corp. All Rights Reserved.
•Strategy of quantum poly-time attacks:
1. Make a periodic function with a secret period
2. Apply Simon’s period finding algorithm
It is hard to make poly-time attacks…
Hash functions have no secret information!!
Why impossible?
![Page 26: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/26.jpg)
26Copyright©2018 NTT corp. All Rights Reserved.
•Strategy of quantum poly-time attacks:
1. Make a periodic function with a secret period
2. Apply Simon’s period finding algorithm
It is hard to make poly-time attacks…
Hash functions have no secret information!!
Why impossible?
If attack is impossible,
let’s give a security proof
![Page 27: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/27.jpg)
27Copyright©2018 NTT corp. All Rights Reserved.
1. Preimage resistance (One-wayness)
2. Second preimage resistance
3. Collision resistance
“Post-quantum secure” hash functions must satisfy all of them against quantum superposition attackers
Security notions for hash functions
![Page 28: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/28.jpg)
28Copyright©2018 NTT corp. All Rights Reserved.
1. Preimage resistance (One-wayness)
2. Second preimage resistance
3. Collision resistance
“Post-quantum secure” hash functions must satisfy all of them against quantum superposition attackers
Security notions for hash functions
Our focus
![Page 29: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/29.jpg)
29Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 30: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/30.jpg)
30Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 31: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/31.jpg)
31Copyright©2018 NTT corp. All Rights Reserved.
1. Proposal of a quantum version of the ideal cipher model
2. Proof of optimal one-wayness (2𝑛/2 quantum queries are required to break one-wayness) of the combination of Merkle-Damgård with Davies-Meyer (fixed block length,
with a specific padding)
3. A proof technique to show quantum oracle
indistinguishability
Our results
Results
![Page 32: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/32.jpg)
32Copyright©2018 NTT corp. All Rights Reserved.
1. Proposal of a quantum version of the ideal cipher model
2. Proof of optimal one-wayness (2𝑛/2 quantum queries are required to break one-wayness) of the combination of Merkle-Damgård with Davies-Meyer (fixed block length,
with a specific padding)
3. A proof technique to show quantum oracle
indistinguishability
Our results
Results
![Page 33: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/33.jpg)
33Copyright©2018 NTT corp. All Rights Reserved.
•Quantum ideal cipher model
• Permutation is chosen at random for each key K, and given to the adversary as a quantum black-box oracle
• Adversary can make quantum superposition queries to both Enc oracle and Dec oracle
Quantum ideal cipher model
𝐸𝐾
𝐸(・,・)
𝐷(・, ・)
Adversary
![Page 34: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/34.jpg)
34Copyright©2018 NTT corp. All Rights Reserved.
Quantum oracles
𝑂𝐸 ∶0 |𝑘⟩ 𝑥 𝑦 ↦ 0 𝑥 |𝑘⟩|𝑦 ⊕ 𝐸𝑘 𝑥 ⟩
1 |𝑘⟩ 𝑥 𝑦 ↦ 1 |𝑘⟩ 𝑥 |𝑦 ⊕ 𝐷𝑘 𝑥 ⟩
Quantum ideal cipher model
𝐸𝐾 ←$ Perm {0,1}𝑛 for each 𝐾
Oracle
![Page 35: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/35.jpg)
35Copyright©2018 NTT corp. All Rights Reserved.
1. Proposal of a quantum version of the ideal cipher model
2. Proof of optimal one-wayness (2𝑛/2 quantum queries are required to break one-wayness) of the combination of Merkle-Damgård with Davies-Meyer (fixed block length,
with a specific padding)
3. A proof technique to show quantum oracle
indistinguishability
Our results
Results
![Page 36: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/36.jpg)
36Copyright©2018 NTT corp. All Rights Reserved.
Our Construction:Merkle-Damgård with Davies-Meyer(fixed block-length, with a specific padding)
Input: 𝑥 = 𝑥0| 𝑥1 |⋯ ||𝑥ℓ (𝑥0 ∈ 0,1𝑛 and 𝑥1, … , 𝑥ℓ ∈ 0,1
𝑛′, 𝑛′ < 𝑛)Output: 𝑦 ∈ 0,1 𝑛
𝑛 𝑛 𝑛
𝑚 𝑚 𝑚
![Page 37: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/37.jpg)
37Copyright©2018 NTT corp. All Rights Reserved.
Our second result
For any quantum q-query adversary A,
Adv𝐻𝐸ow 𝐴 ≤ 𝑂 𝑞/2𝑛/2 + small terms
holds.𝐻𝐸 is Merkle-Damgård with Davies-Meyer
(fixed block length and specific padding)
Theorem 5.2
![Page 38: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/38.jpg)
38Copyright©2018 NTT corp. All Rights Reserved.
Our second result
For any quantum q-query adversary A,
Adv𝐻𝐸ow 𝐴 ≤ 𝑂 𝑞/2𝑛/2 + small terms
holds.𝐻𝐸 is Merkle-Damgård with Davies-Meyer
(fixed block length and specific padding)
Theorem 5.2
Giving a proof
= giving a quantum query lower bound
![Page 39: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/39.jpg)
39Copyright©2018 NTT corp. All Rights Reserved.
Remarks on query lower bound
Area [Model] Problems Backward query?
Quantum computation Worst case ×
Cryptography [(Q)ROM](Quantum) Random Oracle Model
Average case(randomized)
×
Cryptography [(Q)ICM](Quantum) Ideal Cipher Model
Average case(randomized)
○
Our theorem is the first result on quantum query lower bound
that takes backward queries to public permutations / BCs into
account without any algebraic assumptions
![Page 40: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/40.jpg)
40Copyright©2018 NTT corp. All Rights Reserved.
Remarks on query lower bound
Area [Model] Problems Backward query?
Quantum computation Worst case ×
Cryptography [(Q)ROM](Quantum) Random Oracle Model
Average case(randomized)
×
Cryptography [(Q)ICM](Quantum) Ideal Cipher Model
Average case(randomized)
○
Our theorem is the first result on quantum query lower bound
that takes backward queries to public permutations / BCs into
account without any algebraic assumptions
![Page 41: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/41.jpg)
41Copyright©2018 NTT corp. All Rights Reserved.
Remarks on query lower bound
Area [Model] Problems Backward query?
Quantum computation Worst case ×
Cryptography [(Q)ROM](Quantum) Random Oracle Model
Average case(randomized)
×
Cryptography [(Q)ICM](Quantum) Ideal Cipher Model
Average case(randomized)
○
Our theorem is the first result on quantum query lower bound
that takes backward queries to public permutations / BCs into
account without any algebraic assumptions
![Page 42: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/42.jpg)
42Copyright©2018 NTT corp. All Rights Reserved.
Remarks on query lower bound
Area [Model] Problems Backward query?
Quantum computation Worst case ×
Cryptography [(Q)ROM](Quantum) Random Oracle Model
Average case(randomized)
×
Cryptography [(Q)ICM](Quantum) Ideal Cipher Model
Average case(randomized)
○
Our theorem is the first result on quantum query lower bound
that takes backward queries to public permutations / BCs into
account without any algebraic assumptions
![Page 43: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/43.jpg)
43Copyright©2018 NTT corp. All Rights Reserved.
Remarks on query lower bound
Area [Model] Problems Backward query?
Quantum computation Worst case ×
Cryptography [(Q)ROM](Quantum) Random Oracle Model
Average case(randomized)
×
Cryptography [(Q)ICM](Quantum) Ideal Cipher Model
Average case(randomized)
〇
Our theorem is the first result on quantum query lower bound
that takes backward queries to public permutations / BCs into
account without any algebraic assumptions
![Page 44: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/44.jpg)
44Copyright©2018 NTT corp. All Rights Reserved.
Our Construction:Merkle-Damgård with Davies-Meyer(fixed block-length, with a specific padding)
𝑛 𝑛 𝑛
𝑚 𝑚 𝑚
Somewhat complex…
![Page 45: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/45.jpg)
45Copyright©2018 NTT corp. All Rights Reserved.
Merkle-Damgård with Davies-Meyer(with a specific padding)
Lets’ show this simplified function is one-way
𝑦𝑥
![Page 46: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/46.jpg)
46Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
Breaking one-wayness of
is almost as hard as
It can be easily shown that:
![Page 47: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/47.jpg)
47Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
Breaking one-wayness of
is almost as hard as
Finding a fixed point of 𝑃
(An element x s.t. P(x)=x)
It can be easily shown that:
![Page 48: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/48.jpg)
48Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
to
Finding a fixed point of 𝑃
Next: I want to reduce
![Page 49: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/49.jpg)
49Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
to
Finding a fixed point of 𝑃
Next: I want to reduce
Since Boolean functions are much simpler than permutations
Distinguishing two distributions 𝐷1, 𝐷2on Func({0,1}n, {0,1} )
![Page 50: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/50.jpg)
50Copyright©2018 NTT corp. All Rights Reserved.
•Define 𝐷1 on Func({0,1}n , {0,1} ) as the distribution which corresponds to the following sampling:
1. 𝑃 ←$ Perm {0,1}𝑛
2. Define 𝑓: {0,1}𝑛 → {0,1} by 𝑓 𝑥 = 1 iff 𝑃 𝑥 = 𝑥
3. Return 𝑓
•𝐷1 is the “distribution of fixed points of RP”
•Define 𝐷2 as the degenerate distribution on the zero function
distributions 𝐷1, 𝐷2 on the set ofboolean functions
![Page 51: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/51.jpg)
51Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
is almost as hard as
Finding a fixed point of 𝑃
Intuitively,
Distinguishing two distributions 𝐷1, 𝐷2on Func({0,1}n, {0,1} )
![Page 52: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/52.jpg)
52Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
It is sufficient to show that
to show
Breaking one-wayness of is hard
Distinguishing two distributions 𝐷1, 𝐷2on Func({0,1}n, {0,1} ) is hard
![Page 53: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/53.jpg)
53Copyright©2018 NTT corp. All Rights Reserved.
One-wayness: proof strategy
It is sufficient to show that
to show
Breaking one-wayness of is hard
Distinguishing two distributions 𝐷1, 𝐷2on Func({0,1}n, {0,1} ) is hard
How to show it is hard?
→our third result
![Page 54: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/54.jpg)
54Copyright©2018 NTT corp. All Rights Reserved.
1. Proposal of a quantum version of the ideal cipher model
2. Proof of optimal one-wayness (2𝑛/2 quantum queries are required to break one-wayness) of the combination of Merkle-Damgård with Davies-Meyer (fixed block length,
with a specific padding)
3. A proof technique to show quantum oracle
indistinguishability
Our results
Results
![Page 55: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/55.jpg)
55Copyright©2018 NTT corp. All Rights Reserved.
Our third result
Let 𝐷1 be arbitrary distribution on Func {0,1}𝑛, {0,1} , and 𝐷2 be
the degenerate distribution on the zero function. Then
Adv𝐷1,𝐷2dist 𝐴 ≤ 2𝑞
𝛼
𝑝1good𝛼 𝑝1
𝑓|good𝛼max𝑥𝑓 ∈ good𝛼|𝑓 𝑥 = 1
+ Pr𝐹∼𝐷1𝐹 ∈ bad holds.
Proposition 3.2
good𝛼 𝛼⋯a set of subsets of Func {0,1}𝑛, {0,1}
bad ≔ Func {0,1}𝑛, {0,1} ∖ ∪𝛼 good𝛼𝑝1good𝛼 ≔ Pr
F∼𝐷1𝐹 ∈ good𝛼 , 𝑝1
𝑓|good𝛼 ≔ PrF∼𝐷1𝐹 = 𝑓|𝐹 ∈ good𝛼
Condition: good𝛼 ∩ good𝛽 = ∅ ,and 𝑝1𝑓|good𝛼 is independendet of 𝑓
![Page 56: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/56.jpg)
56Copyright©2018 NTT corp. All Rights Reserved.
Our third result
Let 𝐷1 be arbitrary distribution on Func {0,1}𝑛, {0,1} , and 𝐷2 be
the degenerate distribution on the zero function. Then
Adv𝐷1,𝐷2dist 𝐴 ≤ 2𝑞
𝛼
𝑝1good𝛼 𝑝1
𝑓|good𝛼max𝑥𝑓 ∈ good𝛼|𝑓 𝑥 = 1
+ Pr𝐹∼𝐷1𝐹 ∈ bad holds.
Proposition 3.2
good𝛼 𝛼⋯a set of subsets of Func {0,1}𝑛, {0,1}
bad ≔ Func {0,1}𝑛, {0,1} ∖ ∪𝛼 good𝛼𝑝1good𝛼 ≔ Pr
F∼𝐷1𝐹 ∈ good𝛼 , 𝑝1
𝑓|good𝛼 ≔ PrF∼𝐷1𝐹 = 𝑓|𝐹 ∈ good𝛼
Condition: good𝛼 ∩ good𝛽 = ∅ ,and 𝑝1𝑓|good𝛼 is independendet of 𝑓
We can give an upper bound of the advantage with only
calculations of classical probabilities, if we can choose
some “good” subsets of Func {0,1}𝑛, {0,1}
![Page 57: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/57.jpg)
57Copyright©2018 NTT corp. All Rights Reserved.
Recall arguments on oursecond result…
It is sufficient to show that
to show
Breaking one-wayness of is hard
Distinguishing two distributions 𝐷1, 𝐷2on Func({0,1}n, {0,1} ) is hard
![Page 58: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/58.jpg)
58Copyright©2018 NTT corp. All Rights Reserved.
Recall arguments on oursecond result…
With our third result, we can show
Distinguishing two distributions 𝐷1, 𝐷2 on
the set of boolean functions Func({0,1}n, {0,1} )is hard
𝑂(2𝑛/2) queries are required to distinguish
𝐷1, 𝐷2 with a constant probability
Breaking one-wayness of is hard
![Page 59: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/59.jpg)
59Copyright©2018 NTT corp. All Rights Reserved.
Recall arguments on oursecond result…
Distinguishing two distributions 𝐷1, 𝐷2 on
the set of boolean functions Func({0,1}n, {0,1} )is hard
thus
With our third result, we can show
Breaking one-wayness of is hard
𝑂(2𝑛/2) queries are required to distinguish
𝐷1, 𝐷2 with a constant probability
![Page 60: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/60.jpg)
60Copyright©2018 NTT corp. All Rights Reserved.
•Backgrounds
• Post-quantum security of sym-key schemes
• Are hash functions post-quantum secure?
•Our Results
•Summary
Outline
![Page 61: Building Quantum-One-Way Functions from Block Ciphers ... · •Reason: Hash functions are public and used to instantiate QRO (Quantum Random Oracle) •Many post-quantum public-key](https://reader033.fdocuments.in/reader033/viewer/2022051410/60344bd94a8f3f3b5878886e/html5/thumbnails/61.jpg)
61Copyright©2018 NTT corp. All Rights Reserved.
・The combination of Merkle-Damgård with Davies-Meyer is one-way in “quantum ideal cipher model” (fixed block-length,
with specific padding)
・ The first result on quantum query lower bound that takes
backward queries to public permutations or block ciphers
into account w/o any algebraic assumptions
・ A technique to show quantum oracle indistinguishability
Thank you!
Summary