Quantum Indistinguishability for Public Key Encryption

In this work we study the quantum security of public key encryption schemes (PKE). Boneh and Zhandry (CRYPTO'13) initiated this research area for PKE and symmetric key encryption (SKE), albeit restricted to a classical indistinguishability phase. Gagliardoni et al. (CRYPTO'16) advanced the study of quantum security by giving, for SKE, the first definition with a quantum indistinguishability phase. For PKE, on the other hand, no notion of quantum security with a quantum indistinguishability phase exists. Our main result is a novel quantum security notion (qIND-qCPA) for PKE with a quantum indistinguishability phase, which closes the aforementioned gap. We show a distinguishing attack against code-based schemes and against LWE-based schemes with certain parameters. We also show that the canonical hybrid PKE-SKE encryption construction is qIND-qCPA-secure, even if the underlying PKE scheme by itself is not. Finally, we classify quantum-resistant PKE schemes based on the applicability of our security notion. Our core idea follows the approach of Gagliardoni et al. by using so-called type-2 operators for encrypting the challenge message. At first glance, type-2 operators appear unnatural for PKE, as the canonical way of building them requires both the secret and the public key. However, we identify a class of PKE schemes - which we call recoverable - and show that for this class type-2 operators require merely the public key. Moreover, recoverable schemes allow to realise type-2 operators even if they suffer from decryption failures, which in general thwarts the reversibility mandated by type-2 operators. Our work reveals that many real-world quantum-resistant PKE schemes, including most NIST PQC candidates and the canonical hybrid construction, are indeed recoverable

Application of Automorphic Forms to Lattice Problems

In this paper, we propose a new approach to the study of lattice problems used in cryptography. We specifically focus on module lattices of a fixed rank over some number field. An essential question is the hardness of certain computational problems on such module lattices, as the additional structure may allow exploitation. The fundamental insight is the fact that the collection of those lattices are quotients of algebraic manifolds by arithmetic subgroups. Functions on these spaces are studied in mathematics as part of number theory. In particular, those form a module over the Hecke algebra associated with the general linear group. We use results on these function spaces to define a class of distributions on the space of lattices. Using the Hecke algebra, we define Hecke operators associated with collections of prime ideals of the number field and show a criterion on distributions to converge to the uniform distribution, if the Hecke operators are applied to the chosen distribution. Our approach is motivated by the work of de Boer, Ducas, Pellet-Mary, and Wesolowski (CRYPTO\u2720) on self-reduction of ideal lattices via Arakelov divisors

On Quantum Ciphertext Indistinguishability, Recoverability, and OAEP

The qINDqCPA security notion for public-key encryption schemes by Gagliardoni et al. (PQCrypto\u2721) models security against adversaries which are able to obtain ciphertexts in superposition. Defining this security notion requires a special type of quantum operator. Known constructions differ in which keys are necessary to construct this operator, depending on properties of the encryption scheme. We argue—for the typical setting of securing communication between Alice and Bob—that in order to apply the notion, the quantum operator should be realizable for challengers knowing only the public key. This is already known to be the case for a wide range of public-key encryption schemes, in particular, those exhibiting the so-called recoverability property which allows to recover the message from a ciphertext using the randomness instead of the secret key. The open question is whether there are real-world public-key encryption schemes for which the notion is not applicable, considering the aforementioned observation on the keys known by the challenger. We answer this question in the affirmative by showing that applying the qINDqCPA security notion to the OAEP construction requires the challenger to know the secret key. We conclude that the qINDqCPA security notion might need to be refined to eventually yield a universally applicable PKE notion of quantum security with a quantum indistinguishability phase

Avaliação dos programas de residência da Universidade Federal do Rio Grande do Sul na percepção dos residentes

Introduction: The multi-professional residencies in the Health area started to improve after the Law n° 11.129 of 2005. They are a modality of Latu-sensu graduate education, with the purpose of training professionals to work in the National Unified Health System (SUS). Objective: This study aimed to investigate the current situation, from a perspective of satisfaction with the training in Residency courses, with the residents of the Federal University of Rio Grande do Sul. Material and method: It is a study with a mixed-methods approach. The quantitative section was conducted through the application of a questionnaire to all residents participating in the UFRGS Residency Programs in 2018. The qualitative part was conducted using the focus group technique. Result: There were 81 participants in the quantitative component, and 14 residents of the Oral Health program participated in the focus groups. The quantitative results showed that residents received little or no guidance at the beginning of the program. The qualitative results showed questions that allow inferences about residents' dissatisfaction and lack of knowledge about the functioning of the Programs. Conclusion: Residents recognize that there are still issues with program administration to be improved, and more especially, the recognition of the importance of the Residency Programs within the University.Introdução: As residências multiprofissionais em área profissional da saúde ganharam espaço a partir da Lei n°11.129 de 2005. Constituem-se como uma modalidade de ensino de pós-graduação Latu-sensu, com a intenção de capacitar profissionais para trabalhar no Sistema Único de Saúde (SUS). Objetivo: Este estudo teve por objetivo investigar a atual situação, desde uma perspectiva de satisfação com a formação, com cursos de Residência, dos residentes da Universidade Federal do Rio Grande do Sul. Material e método: Constitui-se de um estudo com abordagem mista. O segmento quantitativo ocorreu através da aplicação de um questionário para todos os residentes participantes do Programa de Residência da UFRGS no ano de 2018. O estudo de abordagem qualitativa foi realizado através da técnica de grupos focais. Resultado: Totalizaram 81 participantes na abordagem quantitativa e nos grupos focais participaram 14 residentes, pertencentes ao programa de Saúde Bucal. Os resultados quantitativos representam que os residentes receberam pouca ou nenhuma orientação no início do programa. Os resultados qualitativos apresentam questões que permitem fazer inferências acerca da insatisfação e desconhecimento dos residentes acerca do funcionamento dos Programas. Conclusão: Destaca-se que os residentes reconhecem que há ainda questões de gestão do programa a serem aprimoradas, bem como de reconhecimento da sua importância dentro da Universidade

qTESLA: Practical Implementations of a Quantum Attack Resistant Signature Scheme

Due to the advent of quantum computers, the security of existing public-key cryptography is threatened since quantum computers are expected to be able to solve the underlying mathematical problems efficiently. Hence, quantum resistant alternatives are required. Consequently, about 70 post-quantum scheme candidates were submitted to the National Institute of Standards and Technology (NIST) standardization effort. One candidate is the qTESLA signature scheme. We present an efficient shared-memory parallelization of qTESLA’s core routines, analyze the speedup in-depth and show that it can compete with the two most commonly used signature schemes RSA and ECDSA which are quantum-vulnerable. The speed is further increased by semi-automatic tuning of qTESLA’s configuration parameters based on results of multi-parameter performance models. We show how to considerably increase qTESLA’s usability through the Java Native Interface (JNI) without performance penalty. The analysis on x86 and ARM architecture employing three operating systems demonstrates the achieved portability. The enhanced performance, its straight forward usability and the high portability of our implementation make it a quantum-safe replacement for the state-of-the-art schemes

Committing Authenticated Encryption: Sponges vs. Block-Ciphers in the case of the NIST LWC Finalists

Committing security has gained considerable attention in the field of authenticated encryption (AE). This can be traced back to a line of recent attacks, which suggests that AE schemes used in practice should not only provide confidentiality and authenticity, but also committing security. Roughly speaking, a committing AE scheme guarantees that ciphertexts will decrypt only for one key. Despite the recent research effort in this area, the finalists of the NIST lightweight cryptography standardization process have not been put under consideration yet. We close this gap by providing an analysis of these schemes with respect to their committing security. Despite the structural similarities the finalists exhibit, our results are of a quite heterogeneous nature: We break four of the schemes with effectively no costs, while for two schemes our attacks are costlier, yet still efficient. For the remaining three schemes ISAP, Ascon, and (a slightly modified version of) Schwaemm, we give formal security proofs. Our analysis reveals that sponges—due to their large states—are more favorable for committing security compared to block-ciphers

A new Parallelization for p3Enum and Parallelized Generation of Optimized Pruning Functions

Since quantum computers will be able to break all public-key encryption schemes employed today efficiently, quantum-safe cryptographic alternatives are required. One group of candidates are lattice-based schemes since they are efficient and versatile. To make them practical, their security level must be assessed on classical HPC systems in order to determine efficient but secure parameterization. In this paper, we propose a novel parallelization strategy for the open source framework p3Enum which is designed to solve the important lattice problem of finding the shortest non-zero vector in a lattice (SVP). We also present the p3Enum extreme pruning function generator (p3Enum-epfg) which generates optimized extreme pruning functions for p3Enum’s pruned lattice enumeration by employing a parallelized simulated annealing approach. We demonstrate the quality of the pruning functions delivered. Combining the new parallelization with optimized pruning functions speeds up p3Enum by a factor up to 3 compared to the previous version. Additionally, we compare the required runtime to solve the SVPs with state-of-the art tools and, for the first time, also visualize the statistical effects in the runtime of the algorithms under consideration. This allows a considerably better understanding of the behavior of the implementations than previous average-value considerations and demonstrates the relative stability of p3Enum’s parallel runtimes which improve reproducibility and predictability. All these advancements make it the fastest SVP solver for lattice dimensions 66 to 92 and a suitable building block as SVP-oracle in lattice basis reduction

Safe-Error Attacks on SIKE and CSIDH

The isogeny-based post-quantum schemes SIKE (NIST PQC round 3 alternate candidate) and CSIDH (Asiacrypt 2018) have received only little attention with respect to their fault attack resilience so far. We aim to fill this gap and provide a better understanding of their vulnerability by analyzing their resistance towards safe-error attacks. We present four safe-error attacks, two against SIKE and two against a constant-time implementation of CSIDH that uses dummy isogenies. The attacks use targeted bitflips during the respective isogeny-graph traversals. All four attacks lead to full key recovery. By using voltage and clock glitching, we physically carried out two of the attacks - one against each scheme -, thus demonstrate that full key recovery is also possible in practice

A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation