13 research outputs found
Quantum attacks against iterated block ciphers
We study the amplification of security against quantum attacks provided by
iteration of block ciphers. In the classical case, the Meet-in-the-middle
attack is a generic attack against those constructions. This attack reduces the
time required to break double iterations to only twice the time it takes to
attack a single block cipher, given that the attacker has access to a large
amount of memory. More abstractly, it shows that security by composition does
not achieve exact multiplicative amplification. We present a quantized version
of this attack based on an optimal quantum algorithm for the Element
Distinctness problem. We then use the generalized adversary method to prove the
optimality of the attack. An interesting corollary is that the time-space
tradeoff for quantum attacks is very different from what classical attacks
allow. This first result seems to indicate that composition resists better to
quantum attacks than to classical ones because it prevents the quadratic
speedup achieved by quantizing an exhaustive search.
We investigate security amplification by composition further by examining the
case of four iterations. We quantize a recent technique called the dissection
attack using the framework of quantum walks. Surprisingly, this leads to better
gains over classical attacks than for double iterations, which seems to
indicate that when the number of iterations grows, the resistance against
quantum attacks decreases.Comment: 14 page
Quantum Cryptography Beyond Quantum Key Distribution
Quantum cryptography is the art and science of exploiting quantum mechanical
effects in order to perform cryptographic tasks. While the most well-known
example of this discipline is quantum key distribution (QKD), there exist many
other applications such as quantum money, randomness generation, secure two-
and multi-party computation and delegated quantum computation. Quantum
cryptography also studies the limitations and challenges resulting from quantum
adversaries---including the impossibility of quantum bit commitment, the
difficulty of quantum rewinding and the definition of quantum security models
for classical primitives. In this review article, aimed primarily at
cryptographers unfamiliar with the quantum world, we survey the area of
theoretical quantum cryptography, with an emphasis on the constructions and
limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference
Random Oracles in a Quantum World
The interest in post-quantum cryptography - classical systems that remain
secure in the presence of a quantum adversary - has generated elegant proposals
for new cryptosystems. Some of these systems are set in the random oracle model
and are proven secure relative to adversaries that have classical access to the
random oracle. We argue that to prove post-quantum security one needs to prove
security in the quantum-accessible random oracle model where the adversary can
query the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random oracle
models by presenting a scheme that is secure when the adversary is given
classical access to the random oracle, but is insecure when the adversary can
make quantum oracle queries. We then set out to develop generic conditions
under which a classical random oracle proof implies security in the
quantum-accessible random oracle model. We introduce the concept of a
history-free reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history
of previous queries, and we prove that such reductions imply security in the
quantum model. We then show that certain post-quantum proposals, including ones
based on lattices, can be proven secure using history-free reductions and are
therefore post-quantum secure. We conclude with a rich set of open problems in
this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a
related paper by Boneh and Zhandr
On the Security of Proofs of Sequential Work in a Post-Quantum World
A Proof of Sequential Work (PoSW) allows a prover to convince a
resource-bounded verifier that the prover invested a substantial amount of
sequential time to perform some underlying computation. PoSWs have many
applications including time-stamping, blockchain design, and universally
verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the
first construction of a PoSW in the random oracle model though the construction
relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and
Pietrzak (EUROCRYPT 2018) gave an efficient PoSW construction that does not
require expensive depth-robust graphs.
In the classical parallel random oracle model, it is straightforward to argue
that any successful PoSW attacker must produce a long -sequence
and that any malicious party running in sequential time will fail to
produce an -sequence of length except with negligible
probability. In this paper, we prove that any quantum attacker running in
sequential time will fail to produce an -sequence except
with negligible probability -- even if the attacker submits a large batch of
quantum queries in each round. The proof is substantially more challenging and
highlights the power of Zhandry's recent compressed oracle technique (CRYPTO
2019). We further extend this result to establish post-quantum security of a
non-interactive PoSW obtained by applying the Fiat-Shamir transform to Cohen
and Pietrzak's efficient construction (EUROCRYPT 2018).Comment: 44 pages, 4 figure
Recherche de collisions et cryptanalyse symétrique quantique
National audienceDepuis la découverte décisive de l'algorithme de Shor ([Sho94]), le monde de la cryptographie s'est intéressé de près aux capacités d'un éventuel ordinateur quantique, dont l'émergence mettrait à bas la plupart des primitives asymétriques utilisées aujourd'hui. La situation en cryptographie symétrique est plus ambiguë : la croyance générale veut qu'un doublement de la taille des clés suffise à protéger les systèmes actuels. En effet, l'algorithme de Grover ([Gro96]) promet une accélération quadratique de tout type de recherche exhaustive. Cependant, de récents travaux ont appelé à discuter de cette affirmation péremptoire ([Kap+16a]). Mon stage s'inscrit dans la continuité de ces travaux
Hidden Shift Quantum Cryptanalysis and Implications
International audienceAt Eurocrypt 2017 a tweak to counter Simon's quantum attack was proposed: replace the common bitwise addition, with other operations, as a modular addition. The starting point of our paper is a follow up of these previous results: First, we have developed new algorithms that improve and generalize Kuperberg's algorithm for the hidden shift problem, which is the algorithm that applies instead of Simon when considering modular additions. Thanks to our improved algorithm, we have been able to build a quantum attack in the superposition model on Poly1305, proposed at FSE 2005, largely used and claimed to be quantumly secure. We also answer an open problem by analyzing the effect of the tweak to the FX construction. We have also generalized the algorithm. We propose for the first time a quantum algorithm for solving the problem with parallel modular additions , with a complexity that matches both Simon and Kuperberg in its extremes. We also propose a generic algorithm to solve the hidden shift problem in non-abelian groups. In order to verify the theoretical analysis we performed, and to get concrete estimates of the cost of the algorithms, we have simulated them, and were able to validate our estimated complexities. Finally, we analyze the security of some classical symmetric constructions with concrete parameters, to evaluate the impact and practicality of the proposed tweak, concluding that it does not seem to be efficient