Quantum-secure symmetric-key cryptography based on Hidden Shifts
arXiv:1610.01187
Gorjan AlagicQMATH, Department of Mathematical Sciences
University of Copenhagen
Alexander RussellDepartment of Computer Science & Engineering
University of Connecticut
quantum computation + cryptography
Typical post-quantum crypto:
Classical crypto in quantum world:
Fully-quantum crypto:
classicalquantum
adversary cryptosystem
classicalquantum
adversary cryptosystem
quantum
adversary cryptosystem
Classical functions on a quantum computer
Let 𝑓: 0,1 𝑛 → 0,1 𝑚 be some function.
Quantum generalizes classical, so we can implement 𝑓 on our quantum computer. How?
1. 𝑥, 𝑦 ↦ (𝑥, 𝑦 ⊕ 𝑓 𝑥 ) [turn into reversible function]
2. 𝑥 𝑦 ↦ 𝑥 |𝑦 ⊕ 𝑓 𝑥 ⟩ [run circuit on your quantum computer]
But wait… now we can plug in non-classical inputs:
𝑥,𝑦
𝛼𝑥𝑦 𝑥 𝑦 ↦
𝑥,𝑦
𝛼𝑥𝑦 𝑥 |𝑦 ⊕ 𝑓 𝑥 ⟩
E.g., can prepare uniform superposition of values:
quantum access?
(𝑥, 𝑓 𝑥 )for random 𝑥
??
𝑥
𝑥 |𝑓 𝑥 ⟩
Recall CPA:
• classically: implements the map: 𝑥 ↦ 𝑬𝒏𝒄𝑘 𝑥 ;
• what happens if 𝐴 can run this map quantumly?
• then 𝐴 gets quantum oracle: 𝑥 𝑦 ↦ 𝑥 |𝑦 ⊕ 𝑬𝒏𝒄𝑘 𝑥 ⟩
• … and can run it on non-classical inputs!
Some protocol involving an encryption scheme 𝑬𝒏𝒄,𝑫𝒆𝒄 …
quantum access?
𝐴
𝑬𝒏𝒄𝑘
𝑬𝒏𝒄𝑘
??
𝑥
𝑥 |𝑬𝒏𝒄𝑘 𝑥 ⟩
In some settings, “quantum oracles” make perfect sense:
• public-key encryption: 𝑝𝑘 ↦ encrypt circuit
• hash functions: algorithm
• exposing code: obfuscated circuit
In other settings, this might depend on the model, or the physics:
• private-key encryption (can device act coherently? “frozen smart card” [GHS16])
• authentication and signatures (can user be fooled into signing superposition?)
In any case: the model is of theoretical interest!
reversible circuit
quantum access: is it realistic?
Yes: pseudorandomness still exists!
[GGM84] construction yields PRFs {𝑓𝑘} which are “quantum oracle” – secure [Zha12].
Maybe everything is ok, even in this model?
is *anything* secure in this model?
Authentication [BZ13]:• Uniformly random key 𝑘 for 𝑓𝑘 ;• 𝐌𝐀𝐂𝑘 𝑚 = 𝑓𝑘 𝑚 .
Encryption [BZ13]:• Uniformly random 𝑘 for 𝑓𝑘 ;• 𝐄𝐧𝐜𝑘 𝑚 = 𝑟, 𝑓𝑘 𝑟 ⊕𝑚 .
“Simplest block cipher” [EM97, DKS11]:
1. Fix public, random permutation 𝑃: 0,1 𝑛 → 0,1 𝑛;
2. Uniformly random key: 𝑘 ∈𝑅 0,1 𝑛;
3. Encrypt: 𝐸𝑘 𝑥 = 𝑃 𝑥 ⊕ 𝑘 ⊕ 𝑘 .
Security:
• 𝐸𝑘 is strongly pseudorandom (even if adversary has 𝑃, 𝑃−1, 𝐸𝑘, 𝐸𝑘−1.)
• ⇒ can’t decrypt;
• ⇒ can’t forge input/output pairs, etc.
𝑃
𝑘 𝑘
𝑥 𝐸𝑘(𝑥)
quantum oracle attacks: an example
simple predecessor to ShorGiven:• oracle access to 𝑓;• Promise ∃𝒌 s.t. 𝑓 𝑥 = 𝑓(𝑦) iff 𝑦 = 𝑥 ⊕ 𝒌;Output:• 𝒌
“Simplest block cipher” [EM97, DKS11]:
𝐸𝑘 𝑥 = 𝑃 𝑥 ⊕ 𝑘 ⊕ 𝑘 .
Quantum attack [KM12]:
1. Form oracle 𝑓 𝑥 = 𝑃 𝑥 ⊕ 𝐸𝑘 𝑥 ;
2. Apply Simon’s algorithm on 𝑓 and output result.
Why does it work? 𝑓 𝑥 = 𝑃 𝑥 ⊕ 𝑃 𝑥 ⊕ 𝑘 ⊕ 𝑘 = 𝑓(𝑥 ⊕ 𝑘)
This is Simon’s promise ⇒ attack will output 𝑘!
Devastating: complete key recovery with only 𝒪(𝑛) queries, space and time!
Simple variants also break: 3-round Feistel [KM10], Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, … [KLLN16, SS16].
quantum oracle attacks: an example
𝑃
𝑘 𝑘
𝑥 𝐸𝑘(𝑥)
Hidden Shift Problem (HS). Fix a finite group 𝐺. Given oracles for injective 𝑓, 𝑔: 𝐺 → 𝑆and a promise that ∃ 𝑠 ∈ 𝐺 such that 𝑓 𝑥 = 𝑔(𝑥 ⋅ 𝑠) for all 𝑥 ∈ 𝐺, output 𝑠.
The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …
• if viewed in a certain way, all the attacks…
• first build a pair of shifted functions: 𝑓 𝑥 = 𝑔(𝑥 ⊕ 𝑘)…
• … and then apply Simon’s algorithm to 𝑓 𝑥 ⊕ 𝑔(𝑥).
𝒇 𝒈
what is really at the core: hidden shift
well-known to quantum algorithms community!
Classically: requires exponentially-many queries [in 𝑛 = log( 𝐺 ) ].
Quantumly: efficiently solvable for 𝐺 = ℤ2𝑛 (Simon).
For most other groups, appears to be hard.
Cyclic groups: (e.g., ℤ2𝑛)
• best quantum algorithm takes 2𝒪 𝑛 time [Kup03].
• only idea we have (“coset sampling”) : if it works, then UniqueSVP ∈ BQP [Reg02].
Symmetric groups: (i.e., 𝑆𝑛)
• no subexp algorithms known;
• coset sampling unlikely to give even subexp algorithms [MR05, MRS07].
hidden shift problem
Hidden Shift Problem (HS). Fix a finite group 𝐺. Given oracles for injective 𝑓, 𝑔: 𝐺 → 𝑆and a promise that ∃ 𝑠 ∈ 𝐺 such that 𝑓 𝑥 = 𝑔(𝑥 ⋅ 𝑠) for all 𝑥 ∈ 𝐺, output 𝑠.
The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …
Generic fix:
• select an exponentially-large group (family) 𝐺 (e.g., cyclic ℤ2n, dihedral 𝐷𝑚, symmetric 𝑆𝑛, Lie-type 𝑆𝐿2(𝔽𝑞), … )
• replace input/output spaces with 𝐺 (or a power of 𝐺).
• replace bitwise XOR operation with group operation on 𝐺.
Sanity check [AH17]:
• this does not affect classical security…
• … or classical-access security against quantum adversaries.
hidden shift crypto
The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …
Generic fix:
• select an exponentially-large group (family) 𝐺 (e.g., cyclic ℤ2n, dihedral 𝐷𝑚, symmetric 𝑆𝑛, Lie-type 𝑆𝐿2(𝔽𝑞), …
• replace input/output spaces with 𝐺 (or a power of 𝐺).
• replace bitwise XOR operation with group operation on 𝐺.
Example 1: Even-Mansour.
1. Fix public, random permutation 𝑃: 𝐺 → 𝐺;
2. Select key: 𝑘 ∈𝑅 𝐺;
3. Encrypt: 𝐸𝑘 𝑥 = 𝑃 𝑥 ⋅ 𝑘 ⋅ 𝑘 .
𝑃
𝑘 𝑘
𝑥 𝐸𝑘(𝑥)⋅ ⋅
hidden shift crypto
⋅ : 𝐺 × 𝐺 → 𝐺
The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …
Generic fix:
• select an exponentially-large group (family) 𝐺 (e.g., cyclic ℤ2n, dihedral 𝐷𝑚, symmetric 𝑆𝑛, Lie-type 𝑆𝐿2(𝔽𝑞), …
• replace input/output spaces with 𝐺 (or a power of 𝐺).
• replace bitwise XOR operation with group operation on 𝐺.
Example 2: Feistel network.
1. Choose pseudorandom function 𝑅: 0,1 𝑛 × 𝐺 → 𝐺;
2. Choose keys 𝑘𝑗 ∈𝑅 0,1 𝑛, set 𝑅𝑗 ≔ 𝑅𝑘𝑗;
3. Build pseudorandom permutation on 𝐺 × 𝐺:
R1
R2
R3
+
+
+
⋅
⋅
⋅
hidden shift crypto
⋅ : 𝐺 × 𝐺 → 𝐺
The Simon attack breaks: Even-Mansour, 3-round Feistel, Encrypted-CBC-MAC, LRW tweakable ciphers, many CAESAR candidates, …
Generic fix:
• select an exponentially-large group (family) 𝐺 (e.g., cyclic ℤ2n, dihedral 𝐷𝑚, symmetric 𝑆𝑛, Lie-type 𝑆𝐿2(𝔽𝑞), …
• replace input/output spaces with 𝐺 (or a power of 𝐺).
• replace bitwise XOR operation with group operation on 𝐺.
Example 3: Encrypted-CBC-MAC.
1. Fix keyed, pseudorandom permutation 𝐸: 0,1 𝑛 × 𝐺 → 𝐺;
2. Select key pair: 𝑘, 𝑘1 ∈𝑅 0,1 𝑛;
3. Decompose message 𝑚 ∈ 𝐺𝑙 into blocks 𝑚𝑗 ∈ 𝐺.
Ek Ek … Ek Ek’+ +⋅ ⋅ ⋅1
hidden shift crypto
⋅ : 𝐺 × 𝐺 → 𝐺
Is this “generic fix” a good idea?
1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.
Theorem 1. The Hidden Shift Problem is random self-reducible.
main results
Is this “generic fix” a good idea?
1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.
• randomized version “RHS” where 𝑓 is random and 𝑔 is a shift;
• QPT = quantum polynomial-time algorithm.
Proof idea:
Use the “1/poly-fraction” QPT to explore the entire space of instances, by:
1. randomizing shifts by pre-composing 𝑓 (but not 𝑔) with a random shift;
2. randomize outputs by post-composing both 𝑓 and 𝑔 with a qPRF;
3. repeat with fresh randomness, and a fresh qPRF key poly-many times;
4. test any outputs of the QPT by random sampling and checking.
Theorem 1. RHS is random self-reducible. That is, if there exists a QPT which solves RHS for a 1/poly-fraction of inputs, then there exists a QPT which solves RHS and HS for all but a negligible fraction of inputs.
main results
Is this “generic fix” a good idea?
1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.
Theorem 2. The decision and search version of HS are equivalent.
main results
Is this “generic fix” a good idea?
1. The Hidden Shift Problem (HS) seems to be a good crypto primitive.
Decision version (DRHS). Decide: (i.) 𝑓 is random, 𝑔 is a shift, or (ii.) 𝑓, 𝑔 are random.
Proof idea:
RHS ⇒ DRHS is obvious (note: can amplify here.)
DRHS ⇒ RHS. Descend subgroup tower 𝐺𝑚 ≥ 𝐺𝑚−1 ≥ ⋯ ≥ 𝐺1 recursively.
1. for each transversal element 𝛼, call DRHS on 𝑓 and 𝑔 ∘ 𝐿𝛼 restricted to 𝐺𝑚−1;
2. exactly one value of 𝛼 (say, 𝛽𝑚) will result in “shift;”
3. recursively call algorithm on next level down with restrictions of 𝑓 and 𝑔 ∘ 𝐿𝛽𝑚;
4. output product 𝛽𝑚𝛽𝑚−1⋯𝛽1.
Theorem 2. Suppose 𝐺 has an efficient subgroup series (e.g., ℤ2𝑛 or 𝑆𝑛.) Then there exists a QPT* for DRHS if and only if there exists a QPT* for RHS.
* - with at most 1/poly completeness and soundness error
main results
Is this “generic fix” a good idea?
2. It frustrates all known Simon attacks.
By our theorems + previous results, this would yield:
• (worst-case) quantum algorithm for Hidden Shift;
• (worst-case) quantum algorithm for Hidden Subgroup Problem;
• (over ℤ𝑑) possible poly-time quantum attacks on lattice crypto [Regev02];
• (over 𝑆𝑛) simple poly-time quantum algorithms for Graph Isomorphism;
• (over 𝑆𝑛) efficient attacks on “known-code” version of McEliece [DMR10].
The Simon attack on the Hidden Shift variants of all aforementioned schemes requires a subroutine for efficiently solving the RHS problem over the relevant group family.
main results
Is this “generic fix” a good idea?
3. In some cases, we can prove security reductions.
Theorem 3 [AR16]. Under the HS assumption, the Hidden Shift Even-Mansour cipher is pseudorandom.
HS assumption: there does not exist a polynomial-time quantum algorithm for the Hidden Shift problem which succeeds on all instances.
Theorem 4 [AR16]. Under the HS assumption, the Hidden Shift Encrypted-CBC-MAC is collision-free.
main results
In the “quantum oracle” security model…
• previous results: many standard schemes (Even-Mansour, Feistel, CBC-MAC, etc.) are broken;
• we identified an easy generic patch: replace bitwise XOR with modular addition;
• quantum-resistance of resulting schemes is connected to Hidden Shift and Hidden Subgroup Problem;
• … in some cases via rigorous security reductions;
• this crypto view on HS and HSP led to some new results on their algorithmic hardness!
What’s next?
• what else is broken in this model?
• can HS or HSP serve as a basis for other quantum-secure crypto?
• gain confidence in our security notions for encryption, authentication, signatures, etc.
Thanks!
conclusions
Top Related