13 research outputs found
Random Oracles in a Quantum World
The interest in post-quantum cryptography - classical systems that remain
secure in the presence of a quantum adversary - has generated elegant proposals
for new cryptosystems. Some of these systems are set in the random oracle model
and are proven secure relative to adversaries that have classical access to the
random oracle. We argue that to prove post-quantum security one needs to prove
security in the quantum-accessible random oracle model where the adversary can
query the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random oracle
models by presenting a scheme that is secure when the adversary is given
classical access to the random oracle, but is insecure when the adversary can
make quantum oracle queries. We then set out to develop generic conditions
under which a classical random oracle proof implies security in the
quantum-accessible random oracle model. We introduce the concept of a
history-free reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history
of previous queries, and we prove that such reductions imply security in the
quantum model. We then show that certain post-quantum proposals, including ones
based on lattices, can be proven secure using history-free reductions and are
therefore post-quantum secure. We conclude with a rich set of open problems in
this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a
related paper by Boneh and Zhandr
Key Agreement Against Quantum Adversaries
Key agreement is a cryptographic scenario between two legitimate parties, who need to establish a common secret key over a public authenticated channel, and an eavesdropper who intercepts all their messages in order to learn the secret.
We consider query complexity in which we count only the number of evaluations (queries) of a given black-box function, and classical communication channels.
Ralph Merkle provided the first unclassified scheme for secure communications over insecure channels.
When legitimate parties are willing to ask O(N) queries for some parameter N, any classical eavesdropper needs Omega(N^2) queries before being able to learn their secret, which is is optimal.
However, a quantum eavesdropper can break this scheme in O(N) queries.
Furthermore, it was conjectured that any scheme, in which legitimate parties are classical, could be broken in O(N) quantum queries.
In this thesis, we introduce protocols Ă la Merkle that fall into two categories.
When legitimate parties are restricted to use classical computers, we offer the first secure classical scheme. It requires Omega(N^{13/12}) queries of a quantum eavesdropper to learn the secret.
We give another protocol having security of Omega(N^{7/6}) queries.
Furthermore, for any k>= 2, we introduce a classical protocol in which legitimate parties establish a secret in O(N)
queries while the optimal quantum eavesdropping strategy requires Theta(N^{1/2+k/{k+1}}) queries, approaching Theta(N^{3/2}) when k increases.
When legitimate parties are provided with quantum computers, we present two quantum protocols improving on the best known scheme before this work.
Furthermore, for any k>= 2, we give a quantum protocol in which legitimate parties establish a secret in O(N) queries while the optimal quantum eavesdropping strategy requires Theta(N^{1+{k}/{k+1}})} queries, approaching Theta(N^{2}) when k increases.Un protocole d'Ă©change de clĂ©s est un scĂ©nario cryptographique entre deux partis lĂ©gitimes ayant besoin de se mettre d'accord sur une clĂ© commune secrĂšte via un canal public authentifiĂ© oĂč tous les messages sont interceptĂ©s par un espion voulant connaĂźtre leur secret.
Nous considĂ©rons un canal classique et mesurons la complexitĂ© de calcul en termes du nombre d'Ă©valuations (requĂȘtes) d'une fonction donnĂ©e par une boĂźte noire.
Ralph Merkle fut le premier à proposer un schéma non classifié permettant de réaliser des échanges securisés avec des canaux non securisés.
Lorsque les partis lĂ©gitimes sont capables de faire O(N) requĂȘtes pour un certain paramĂštre N, tout espion classique doit faire Omega(N^2) requĂȘtes avant de pouvoir apprendre leur secret, ce qui est optimal.
Cependant, un espion quantique peut briser ce schĂ©ma avec O(N) requĂȘtes.
D'ailleurs, il a Ă©tĂ© conjecturĂ© que tout protocole, dont les partis lĂ©gitimes sont classiques, pourrait ĂȘtre brisĂ© avec O(N) requĂȘtes quantiques.
Dans cette thÚse, nous introduisons deux catégories des protocoles à la Merkle.
Lorsque les partis lĂ©gitimes sont restreints Ă l'utilisation des ordinateurs classiques, nous offrons le premier schĂ©ma classique sĂ»r. Il oblige tout adversaire quantique Ă faire Omega(N^{13/12}) requĂȘtes avant d'apprendre le secret. Nous offrons aussi un protocole ayant une sĂ©curitĂ© de Omega(N^{7/6}) requĂȘtes. En outre, pour tout k >= 2, nous donnons un protocole classique pour lequel les partis lĂ©gitimes Ă©tablissent un secret avec O(N)
requĂȘtes alors que la stratĂ©gie optimale d'espionnage quantique nĂ©cessite Theta(N^{1/2 + k/{k +1}}) requĂȘtes, se rapprochant de Theta(N^{3/2}) lorsque k croĂźt.
Lors les partis légitimes sont équipés d'ordinateurs quantiques, nous présentons deux protocoles supérieurs au meilleur schéma connu avant ce travail.
En outre, pour tout k >= 2, nous offrons un protocole quantique pour lequel les partis lĂ©gitimes Ă©tablissent un secret avec O(N) requĂȘtes alors que
l'espionnage quantique optimale
nĂ©cessite Theta(N^{1+{k}/{k+1}}) requĂȘtes, se rapprochant de Theta(N^{2}) lorsque k croĂźt
On the Security of Proofs of Sequential Work in a Post-Quantum World
A Proof of Sequential Work (PoSW) allows a prover to convince a
resource-bounded verifier that the prover invested a substantial amount of
sequential time to perform some underlying computation. PoSWs have many
applications including time-stamping, blockchain design, and universally
verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the
first construction of a PoSW in the random oracle model though the construction
relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and
Pietrzak (EUROCRYPT 2018) gave an efficient PoSW construction that does not
require expensive depth-robust graphs.
In the classical parallel random oracle model, it is straightforward to argue
that any successful PoSW attacker must produce a long -sequence
and that any malicious party running in sequential time will fail to
produce an -sequence of length except with negligible
probability. In this paper, we prove that any quantum attacker running in
sequential time will fail to produce an -sequence except
with negligible probability -- even if the attacker submits a large batch of
quantum queries in each round. The proof is substantially more challenging and
highlights the power of Zhandry's recent compressed oracle technique (CRYPTO
2019). We further extend this result to establish post-quantum security of a
non-interactive PoSW obtained by applying the Fiat-Shamir transform to Cohen
and Pietrzak's efficient construction (EUROCRYPT 2018).Comment: 44 pages, 4 figure
Provably secure key establishment against quantum adversaries
At Crypto 2011, some of us had proposed a family of cryptographic protocols
for key establishment capable of protecting quantum and classical legitimate
parties unconditionally against a quantum eavesdropper in the query complexity
model. Unfortunately, our security proofs were unsatisfactory from a
cryptographically meaningful perspective because they were sound only in a
worst-case scenario. Here, we extend our results and prove that for any e > 0,
there is a classical protocol that allows the legitimate parties to establish a
common key after O(N) expected queries to a random oracle, yet any quantum
eavesdropper will have a vanishing probability of learning their key after
O(N^{1.5-e}) queries to the same oracle. The vanishing probability applies to a
typical run of the protocol. If we allow the legitimate parties to use a
quantum computer as well, their advantage over the quantum eavesdropper becomes
arbitrarily close to the quadratic advantage that classical legitimate parties
enjoyed over classical eavesdroppers in the seminal 1974 work of Ralph Merkle.
Along the way, we develop new tools to give lower bounds on the number of
quantum queries required to distinguish two probability distributions. This
method in itself could have multiple applications in cryptography. We use it
here to study average-case quantum query complexity, for which we develop a new
composition theorem of independent interest.Comment: 22 pages, no figures, fixes a problem with arXiv:1108.2316v2. Will
appear in the Proceedings of the 12th Conference on Theory of Quantum
Computation, Communication and Cryptography (TQC), Paris, June 2017. The only
change in v2 is that there was a problem with the affiliations in v
Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE
We introduce models of computation that enable direct comparisons between classical and quantum algorithms. Incorporating previous work on quantum computation and error correction, we justify the use of the gate-count and depth-times-width cost metrics for quantum circuits. We demonstrate the relevance of these models to cryptanalysis by revisiting, and increasing, the security estimates for the Supersingular Isogeny Diffie--Hellman (SIDH) and Supersingular Isogeny Key Encapsulation (SIKE) schemes. Our models, analyses, and physical justifications have applications to a number of memory intensive quantum algorithms
Merkle\u27s Key Agreement Protocol is Optimal: An Attack on any Key Agreement from Random Oracles
We prove that every key agreement protocol in the random oracle model in which the honest users make at most queries to the oracle can be broken by an adversary who makes queries to the oracle. This improves on the previous query attack given by Impagliazzo and Rudich (STOC \u2789) and resolves an open question posed by
them.
Our bound is optimal up to a constant factor since Merkle proposed a key agreement protocol in 1974 that can be easily implemented with queries to a random oracle and cannot be broken by any adversary who asks queries