Quantum Indistinguishability for Public Key Encryption

In this work we study the quantum security of public key encryption schemes (PKE). Boneh and Zhandry (CRYPTO'13) initiated this research area for PKE and symmetric key encryption (SKE), albeit restricted to a classical indistinguishability phase. Gagliardoni et al. (CRYPTO'16) advanced the study of quantum security by giving, for SKE, the first definition with a quantum indistinguishability phase. For PKE, on the other hand, no notion of quantum security with a quantum indistinguishability phase exists. Our main result is a novel quantum security notion (qIND-qCPA) for PKE with a quantum indistinguishability phase, which closes the aforementioned gap. We show a distinguishing attack against code-based schemes and against LWE-based schemes with certain parameters. We also show that the canonical hybrid PKE-SKE encryption construction is qIND-qCPA-secure, even if the underlying PKE scheme by itself is not. Finally, we classify quantum-resistant PKE schemes based on the applicability of our security notion. Our core idea follows the approach of Gagliardoni et al. by using so-called type-2 operators for encrypting the challenge message. At first glance, type-2 operators appear unnatural for PKE, as the canonical way of building them requires both the secret and the public key. However, we identify a class of PKE schemes - which we call recoverable - and show that for this class type-2 operators require merely the public key. Moreover, recoverable schemes allow to realise type-2 operators even if they suffer from decryption failures, which in general thwarts the reversibility mandated by type-2 operators. Our work reveals that many real-world quantum-resistant PKE schemes, including most NIST PQC candidates and the canonical hybrid construction, are indeed recoverable

On Quantum Ciphertext Indistinguishability, Recoverability, and OAEP

The qINDqCPA security notion for public-key encryption schemes by Gagliardoni et al. (PQCrypto\u2721) models security against adversaries which are able to obtain ciphertexts in superposition. Defining this security notion requires a special type of quantum operator. Known constructions differ in which keys are necessary to construct this operator, depending on properties of the encryption scheme. We argue—for the typical setting of securing communication between Alice and Bob—that in order to apply the notion, the quantum operator should be realizable for challengers knowing only the public key. This is already known to be the case for a wide range of public-key encryption schemes, in particular, those exhibiting the so-called recoverability property which allows to recover the message from a ciphertext using the randomness instead of the secret key. The open question is whether there are real-world public-key encryption schemes for which the notion is not applicable, considering the aforementioned observation on the keys known by the challenger. We answer this question in the affirmative by showing that applying the qINDqCPA security notion to the OAEP construction requires the challenger to know the secret key. We conclude that the qINDqCPA security notion might need to be refined to eventually yield a universally applicable PKE notion of quantum security with a quantum indistinguishability phase

Committing Authenticated Encryption: Sponges vs. Block-Ciphers in the case of the NIST LWC Finalists

Committing security has gained considerable attention in the field of authenticated encryption (AE). This can be traced back to a line of recent attacks, which suggests that AE schemes used in practice should not only provide confidentiality and authenticity, but also committing security. Roughly speaking, a committing AE scheme guarantees that ciphertexts will decrypt only for one key. Despite the recent research effort in this area, the finalists of the NIST lightweight cryptography standardization process have not been put under consideration yet. We close this gap by providing an analysis of these schemes with respect to their committing security. Despite the structural similarities the finalists exhibit, our results are of a quite heterogeneous nature: We break four of the schemes with effectively no costs, while for two schemes our attacks are costlier, yet still efficient. For the remaining three schemes ISAP, Ascon, and (a slightly modified version of) Schwaemm, we give formal security proofs. Our analysis reveals that sponges—due to their large states—are more favorable for committing security compared to block-ciphers

Efficient Post-Quantum Secure Deterministic Threshold Wallets from Isogenies

Cryptocurrency networks crucially rely on digital signature schemes, which are used as an authentication mechanism for transactions. Unfortunately, most major cryptocurrencies today, including Bitcoin and Ethereum, employ signature schemes that are susceptible to quantum adversaries, i.e., an adversary with access to a quantum computer can forge signatures and thereby spend coins of honest users. In cryptocurrency networks, signature schemes are typically not executed in isolation, but within a so-called cryptographic wallet. In order to achieve security against quantum adversaries, the signature scheme and the cryptographic wallet must withstand quantum attacks. In this work, we advance the study on post-quantum secure signature and wallet schemes. That is, we provide the first formal model for deterministic threshold wallets and we show a generic post-quantum secure construction from any post-quantum secure threshold signature scheme with rerandomizable keys. We then instantiate our construction from the isogeny-based signature scheme CSI-FiSh and we show that our instantiation significantly improves over prior work

A Lightweight Identification Protocol Based on Lattices

In this work we present a lightweight lattice-based identification protocol based on the CPA-secured public key encryption scheme Kyber. It is designed as a replacement for existing classical ECC- or RSA-based identification protocols in IoT, smart card applications, or for device authentication. The proposed protocol is simple, efficient, and implementations are supposed to be easy to harden against side-channel attacks. Compared to standard constructions for identification protocols based on lattice-based KEMs, our construction achieves this by avoiding the Fujisaki-Okamoto transform and its impact on implementation security. Moreover, contrary to prior lattice-based identification protocols or standard constructions using signatures, our work does not require rejection sampling and can use more efficient parameters than signature schemes. We provide a generic construction from CPA-secured public key encryption schemes to identification protocols and give a security proof of the protocol in the ROM. Moreover, we instantiate the generic construction with Kyber, for which we use the proposed parameter sets for NIST security levels I, III, and V. To show that the protocol is suitable for constrained devices, we implemented one selected parameter set on an ARM Cortex-M4 microcontroller. As the protocol is based on existing algorithms for Kyber, we make use of existing SW components (e.g., fast NTT implementations) for our implementation

On the (In)Security of the BUFF Transform

The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as ``additional desirable security properties\u27\u27, and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly. In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function. When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation. On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result

Quantum phase transition to unconventional multi-orbital superfluidity in optical lattices

Orbital physics plays a significant role for a vast number of important phenomena in complex condensed matter systems such as high-T$_c$ superconductivity and unconventional magnetism. In contrast, phenomena in superfluids -- especially in ultracold quantum gases -- are commonly well described by the lowest orbital and a real order parameter. Here, we report on the observation of a novel multi-orbital superfluid phase with a {\it complex} order parameter in binary spin mixtures. In this unconventional superfluid, the local phase angle of the complex order parameter is continuously twisted between neighboring lattice sites. The nature of this twisted superfluid quantum phase is an interaction-induced admixture of the p-orbital favored by the graphene-like band structure of the hexagonal optical lattice used in the experiment. We observe a second-order quantum phase transition between the normal superfluid (NSF) and the twisted superfluid phase (TSF) which is accompanied by a symmetry breaking in momentum space. The experimental results are consistent with calculated phase diagrams and reveal fundamentally new aspects of orbital superfluidity in quantum gas mixtures. Our studies might bridge the gap between conventional superfluidity and complex phenomena of orbital physics.Comment: 5 pages, 4 figure

Post-Quantum Security of Tweakable Even-Mansour, and Applications

The tweakable Even-Mansour construction yields a tweakable block cipher from a public random permutation. We prove post-quantum security of tweakable Even-Mansour when attackers have quantum access to the public random permutation but only classical access to the secretly-keyed construction, the most relevant setting for most real-world applications. We then use our results to prove post-quantum security, in the same model, of three symmetric-key schemes: Elephant (an AEAD finalist of NIST\u27s lightweight cryptography standardization effort), Minalpher (a second-round AEAD candidate of the CAESAR competition), and Chaskey (an ISO-standardized MAC)

Non-Abelian gauge fields and topological insulators in shaken optical lattices

Time-periodic driving like lattice shaking offers a low-demanding method to generate artificial gauge fields in optical lattices. We identify the relevant symmetries that have to be broken by the driving function for that purpose and demonstrate the power of this method by making concrete proposals for its application to two-dimensional lattice systems: We show how to tune frustration and how to create and control band touching points like Dirac cones in the shaken kagom\'e lattice. We propose the realization of a topological and a quantum spin Hall insulator in a shaken spin-dependent hexagonal lattice. We describe how strong artificial magnetic fields can be achieved for example in a square lattice by employing superlattice modulation. Finally, exemplified on a shaken spin-dependent square lattice, we develop a method to create strong non-Abelian gauge fields.Comment: 5 pages, 4 figures + supplemental material (2 pages, 1 figure). Accepted for publication in Phys. Rev. Lett.. Minor changes with respect to version 2 to improve presentatio