Presentation is loading. Please wait.

Presentation is loading. Please wait.

Semantic Security and Indistinguishability in the Quantum World

Published byShawn Ward Modified over 6 years ago

Similar presentations

Presentation on theme: "Semantic Security and Indistinguishability in the Quantum World"β€” Presentation transcript:

1 Semantic Security and Indistinguishability in the Quantum World
Tommaso Gagliardoni1, Andreas HΓΌlsing2, Christian Schaffner3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands 3University of Amsterdam, CWI, QuSoft, The Netherlands Crypto Working Group, Utrecht, NL 24/03/2017

2 Introduction

3 Symmetric encryption E = (Kg, Enc, Dec)
Plaintext π’Ž Enc Ciphertext 𝒓 Randomness Secret key 𝐀 Plaintext π’Ž Dec Ciphertext

4 Adversaries I: Classical Security
Adversary = probabilistic polynomial time (PPT) algorithm

5 Adversaries II: Post-Quantum Security
Adversary = bounded-error quantum polynomial time (BQP) algorithm

6 Adversaries III: Quantum Security
Still classical ! E Adversary = bounded-error quantum polynomial time (BQP) algorithm

7 Why should we care? Use in protocols Quantum cloud Quantum obfuscation
Side-channel attacks that trigger some measurable quantum behaviour Oh, and because we can!

8 Semantic security (SEM)
Simulation-based security notion Captures intuition: It should not be possible to learn anything about the plaintext given the ciphertext which you could not also have learned without the ciphertext.

9 Semantic security (SEM): Challenge phase
( 𝑺 𝒏 ,𝒉,𝒇) π’ŽβŸ΅ 𝑺 𝒏 , 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž , (𝒄,𝒉(π’Ž)) (𝒇(π’Ž)) A C A cannot do significantly better in the above game than a simulator S that does not receive 𝑐.

10 Indistinguishability (IND) (of ciphertexts)
Pure game-based notion (no simulator) Easier to work with than SEM Intuition: You cannot distinguish the encryptions of two messages of your choice Shown to be equivalent to SEM!

11 Indistinguishability (IND): Challenge phase
( π’Ž 𝟏 , π’Ž 𝟐 ) 𝒃 ⟡ 𝑹 {𝟎,𝟏}, 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž 𝒃 , 𝒄 𝒃 A C A cannot output correct b with significantly bigger probability than guessing.

12 Chosen plaintext attacks (CPA)
Adversary might learn encryptions of known messages To model worst case: Let adversary chose messages Can be combined with both security notions – IND & SEM Normally: Learning phases before & after challenge phase

13 CPA Learning phase A C π’Ž 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž 𝒄
𝒄=𝑬𝒏 𝒄 π’Œ π’Ž 𝒄 A C A can ask π‘žβˆˆπ‘π‘œπ‘™π‘¦(𝑛) queries in all learning phases.

14 IND-CPA A C π’Ž 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž , 𝒄 ( π’Ž 𝟏 , π’Ž 𝟐 ) 𝒃 ⟡ 𝑹 {𝟎,𝟏}, 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž 𝒃 ,
Learning I 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž , 𝒄 ( π’Ž 𝟏 , π’Ž 𝟐 ) 𝒃 ⟡ 𝑹 {𝟎,𝟏}, 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž 𝒃 , 𝒄 Challenge A π’Ž 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž , Learning II 𝒄 C 𝒃 Finish A cannot output correct b with significantly bigger probability than guessing.

15 Quantum security notions

16 Previous work [BZ13] Boneh, Zhandry: "Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World", CRYPTO'13 Model encryption as unitary operator defined by: π‘₯,𝑦 π‘₯, 𝑦 β†’ π‘₯,𝑦 π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯) (where 𝐸𝑛 𝑐 π‘˜ (βˆ™) is a classical encryption function)

17 Indistinguishability under quantum chosen message attacks (IND-qCPA)
Give adversary quantum access in learning phase Classical challenge phase

18 IND-qCPA A C π‘₯, 𝑦 π‘₯, 𝑦 β†’ π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯) ( π’Ž 𝟏 , π’Ž 𝟐 )
π‘₯, 𝑦 β†’ π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯) ( π’Ž 𝟏 , π’Ž 𝟐 ) 𝒃 ⟡ 𝑹 {𝟎,𝟏}, 𝒄=𝑬𝒏 𝒄 π’Œ π’Ž 𝒃 , 𝒄 π‘₯, 𝑦 A C π‘₯, 𝑦 β†’ π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯) 𝒃 A cannot output correct b with significantly bigger probability than guessing.

19 Indistinguishability under quantum chosen message attacks (IND-qCPA)
Give adversary quantum access in learning phase Classical challenge phase Can be proven strictly stronger than IND-CPA Why would you do this? If we assume adversary has quantum access, why not also when it tries to learn something new?

20 Fully-quantum indistinguishability under quantum chosen message attacks (fqIND-qCPA)
Give adversary quantum access in learning phase Quantum challenge phase

21 fqIND-qCPA A C π‘₯, 𝑦 π‘₯, 𝑦 β†’ π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯)
π‘₯, 𝑦 β†’ π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯) 𝑏 ⟡ 𝑅 {0,1}, π‘₯ 1 , π‘₯ 2 , 𝑦 β†’ π‘₯ 1 , π‘₯ 2 , 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ ( π‘₯ 𝑏 ) π‘₯ 1 , π‘₯ 2 , 𝑦 π‘₯, 𝑦 A C π‘₯, 𝑦 β†’ π‘₯, 𝑦 ⨁𝐸𝑛 𝑐 π‘˜ (π‘₯) 𝒃 A cannot output correct b with significantly bigger probability than guessing.

22 fqIND is unachievable [BZ13]

23 fqIND is unachievable [BZ13]

24 fqIND is unachievable [BZ13]

25 [BZ13] & our contribution

26 [BZ13] & our contribution

27 How to define qIND-qCPA?

28 How to define qIND-qCPA?

29 How to define qIND-qCPA?

30 How to define qIND-qCPA?

31 Model: (O) vs (C) (O) (C)

32 Model: (Q) vs (c) (Q) (c)

33 Model: Type (1) vs type (2)

34 Quantum indistinguishability (qIND)

35 Quantum indistinguishability (qIND)

36 Separation example

37 Separation example

38 Separation example

39 Impossibility result

40 Impossibility result

41 The attack

42 The attack

43 The attack

44 The attack

45 The attack

46 The attack

47 The attack

48 The solution

49 The solution

50 The solution

51 The solution

52 The solution

53 Secure Construction

54 Conclusion

55 https://eprint.iacr.org/2015/355
Thank you! Questions?

Download ppt "Semantic Security and Indistinguishability in the Quantum World"

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, BjΓΆrn Tackmann, and Daniele Venturi PETS 2013.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, BjΓΆrn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: ι™³εœ‹η’‹ EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: ι™³εœ‹η’‹ EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Similar presentations

Ads by Google