Fang Song IQC, University of Waterloo -- “Quantum-Friendly” Reductions.

Slides:



Advertisements
Similar presentations
Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.
Advertisements

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.
Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.
New Developments in Quantum Money and Copy-Protected Software Scott Aaronson (MIT) Joint work with Paul Christiano A A.
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 456 Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Project supported by YESS 2009 Young Engineering Scientist Symposium « Identity Management » Cryptography for the Security of Embedded Systems Ambient.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
8. Data Integrity Techniques
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
CS 4/585: Cryptography Tom Shrimpton FAB
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
The Dual Receiver Cryptosystem and its Applications Presented by Brijesh Shetty.
October 1 & 3, Introduction to Quantum Computing Lecture 1 of 2 Introduction to Quantum Computing Lecture 1 of 2
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Introduction to Quantum Key Distribution
Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Relationships among the Computational Powers of Breaking Dis-hog Cryptosystems K.SAKURAI † H.SHIZUYA (Kyushu Uni) (Tohoku Uni) EUROCRYPTO ‘95 † Partially.
Umans Complexity Theory Lectures Lecture 1a: Problems and Languages.
INTERVENTIONS AND INFERENCE / REASONING. Causal models  Recall from yesterday:  Represent relevance using graphs  Causal relevance ⇒ DAGs  Quantitative.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Non-interactive quantum zero-knowledge proofs
On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.
Formal Verification of Quantum Cryptography Dominique Unruh University of Tartu.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
PKCS #5 v2.0: Password-Based Cryptography Standard
| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.
Topic 26: Discrete LOG Applications
A Simple Provably Secure AKE from the LWE Problem
Introduction to Quantum Computing Lecture 1 of 2
Cryptographic protocols 2014, Lecture 2 assumptions and reductions
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
Topic 14: Random Oracle Model, Hashing Applications
Possible Impact of quantum computing
Digital Signature Schemes and the Random Oracle Model
Practical Aspects of Modern Cryptography
Cryptography Lecture 12.
Mitigating Multi-Target-Attacks in Hash-based Signatures
SPHINCS: practical stateless hash-based signatures
Towards A Standard for Practical Hash-based Signatures
Quantum-security of commitment schemes and hash functions
On The Quantitative Hardness of the Closest Vector Problem
TWO-FACE New Public Key Multivariate Schemes
Post-Quantum Security of Fiat-Shamir
Cryptography Lecture 11.
Collapse-binding quantum commitments without random oracles
Cryptography Lecture 26.
Presentation transcript:

Fang Song IQC, University of Waterloo -- “Quantum-Friendly” Reductions

2 How do quantum attacks change classical cryptography?  Crypto-systems based on the hardness of factoring and discrete-log are broken  Factoring and discrete-log are easy on a quantum computer [ Shor’97 ]  Relax…, there are “hard” problems for quantum computers  Lattices, code-based, multivariate equations,  Super-singular elliptic curve isogenies ……  Unfortunately, this is not the end of the story…

 3 What do We Mean by “Secure”? ?  So far, only can do quantum rewinding in special cases [ Wat09,Unr12 ].

 4 What do We Mean by “Secure”?

 Main Result: Characterize “Quantum-Friendly” reductions.  Case 1: Class-Respectful Reductions  Common case: adversary has quantum inner working, classical interaction with outside world.  Formalize sufficient conditions, simple to check.  Application: (quantum-safe) one-way functions  Signatures  An efficient variant: XMSS [ BHH11 ] (Motivation of this work)  Not surprising; just making routine work rigorous and easier  Case 2: Class-Translatable Reductions  Unify a few previous works, e.g., Full-Domain Hash in QRO 5 What I Did in This Work Q: What classical security reductions can go through against quantum attacks? Side: Spell out Provable Quantum Security  Before “how”, be clear “what” to do to establish quantum security

 6 Review: Provable Classical Security C A C B A T C A  Computational Assumption  Security Requirement  Security Reduction Usually consider poly- time adversaries Use Games to formalize the following:

 7 Provable Quantum Security Classical Quantum Decide what is proper in your setting e.g., allow quantum superposition queries? Every component needs a “quantum” inspection   

 8 Lifting Game-Preserving Reductions

 9 Lifting Game-Preserving Reductions (Cont’d)

 10 A Useful Condition for Closedness OWF One-Time Signature [Lamport] Universal One-Way Hash Functions [Rompel] (Full-fledged) Hash-Tree Signature [Merkle]

 ? Upshot: let an interpreter take you to the game-preserving land! 11 Lifting Game-Updating Reductions  Application: unify previous results  E.g., a more modular proof for Full-Domain Hash in Quantum RO.

  Takeaways  To establish quantum security of a classical scheme, assumptions, security definitions, reductions all need to be re-examined.  We’ve given characterizations for “quantum-friendly” reductions.  Simple cases: there is a tool to ease the routine wok.  Future Directions  Apply and extend our characterization and tools  Many straightforward applications  More interesting cases: rewinding, QRO, generic interpreter …  Reinvestigate fundamental objects  PesudoRandomFunctions  Quantum-accessible PRPermutations?  May shed light on quantum unitary designs.  Reduction has quantum access to adversary?  A different flavor of game-updating reductions.  E.g. Quantum Goldreich-Levin [ AC’STACS02 ] 12 Discussions Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.