Semantic Security and Indistinguishability in the Quantum ... · 24/03/2017 · Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni1, Andreas Hülsing2,

Semantic Security and Indistinguishability in the

Quantum World

Tommaso Gagliardoni1, Andreas Hülsing2, Christian Schaffner3

1 IBM Research, Swiss; TU Darmstadt, Germany2 TU Eindhoven, The Netherlands

3University of Amsterdam, CWI, QuSoft, The Netherlands

Crypto Working Group, Utrecht, NL24/03/2017

Introduction

2

Symmetric encryption E = (Kg, Enc, Dec)

3

EncPlaintext𝒎

𝒓Randomness

Secret key 𝐤

Ciphertext

DecCiphertext Plaintext

𝒎

Adversaries I: Classical Security

4

E

Adversary = probabilistic polynomial time (PPT) algorithm

Adversaries II: Post-Quantum Security

5

E

Adversary = bounded-error quantum polynomial time (BQP) algorithm

Adversaries III: Quantum Security

6

E

Adversary = bounded-error quantum polynomial time (BQP) algorithm

Why should we care?

1. Use in protocols

2. Quantum cloud

3. Quantum obfuscation

4. Side-channel attacks that trigger some measurable quantum behaviour

5. Oh, and because we can!

7

Semantic security (SEM)

• Simulation-based security notion

• Captures intuition:

It should not be possible to learn anything about the plaintext given the ciphertext which you could not also have learned without the ciphertext.

8

Semantic security (SEM): Challenge phase

9

(𝑺𝒏, 𝒉, 𝒇)

𝒎 ⟵ 𝑺𝒏,𝒄 = 𝑬𝒏𝒄𝒌 𝒎 ,(𝒄, 𝒉(𝒎))

(𝒇(𝒎))

A C

A cannot do significantly better in the above game than a simulator S that does not receive 𝑐.

Indistinguishability (IND)(of ciphertexts)• Pure game-based notion (no simulator)

• Easier to work with than SEM

• Intuition:

You cannot distinguish the encryptions of two messages of your choice

• Shown to be equivalent to SEM!

10

Indistinguishability (IND): Challenge phase

11

(𝒎𝟏,𝒎𝟐)𝒃 ⟵𝑹 {𝟎, 𝟏},𝒄 = 𝑬𝒏𝒄𝒌 𝒎𝒃 ,𝒄

𝒃

A C

A cannot output correct b with significantly bigger probability than guessing.

Chosen plaintext attacks (CPA)

• Adversary might learn encryptions of known messages

• To model worst case: Let adversary chose messages

• Can be combined with both security notions – IND & SEM

• Normally: Learning phases before & after challenge phase

12

CPA Learning phase

13

𝒎

𝒄 = 𝑬𝒏𝒄𝒌 𝒎𝒄

A C

A can ask 𝑞 ∈ 𝑝𝑜𝑙𝑦(𝑛) queries in all learning phases.

IND-CPA

14

(𝒎𝟏,𝒎𝟐)𝒃 ⟵𝑹 {𝟎, 𝟏},𝒄 = 𝑬𝒏𝒄𝒌 𝒎𝒃 ,

𝒄

𝒃

AC

A cannot output correct b with significantly bigger probability than guessing.

𝒎𝒄 = 𝑬𝒏𝒄𝒌 𝒎 ,𝒄

𝒎𝒄 = 𝑬𝒏𝒄𝒌 𝒎 ,𝒄

Learning I

Learning II

Challenge

Finish

Quantum security notions

15

Previous work

[BZ13] Boneh, Zhandry: "Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World", CRYPTO'13

Model encryption as unitary operator defined by:

𝑥,𝑦 𝑥, 𝑦 →

𝑥,𝑦 𝑥, 𝑦 ⨁𝐸𝑛𝑐𝑘(𝑥)

(where 𝐸𝑛𝑐𝑘(∙) is a classical encryption function)

16

Indistinguishability under quantum chosen message attacks (IND-qCPA)

• Give adversary quantum access in learning phase

• Classical challenge phase

17

𝑥, 𝑦

𝑥, 𝑦 → 𝑥, 𝑦 ⨁𝐸𝑛𝑐𝑘(𝑥)

IND-qCPA

18

(𝒎𝟏,𝒎𝟐)𝒃 ⟵𝑹 {𝟎, 𝟏},𝒄 = 𝑬𝒏𝒄𝒌 𝒎𝒃 ,

𝒄

𝒃

AC

A cannot output correct b with significantly bigger probability than guessing.

𝑥, 𝑦

𝑥, 𝑦 → 𝑥, 𝑦 ⨁𝐸𝑛𝑐𝑘(𝑥)

Indistinguishability under quantum chosen message attacks (IND-qCPA)

• Give adversary quantum access in learning phase

• Classical challenge phase

• Can be proven strictly stronger than IND-CPA

• Why would you do this?

• If we assume adversary has quantum access, why not also when it tries to learn something new?

19

Fully-quantum indistinguishability under quantum chosen message attacks (fqIND-qCPA)

• Give adversary quantum access in learning phase

• Quantum challenge phase

20

𝑥, 𝑦

𝑥, 𝑦 → 𝑥, 𝑦 ⨁𝐸𝑛𝑐𝑘(𝑥)

fqIND-qCPA

21

𝑏 ⟵𝑅 {0,1}, 𝑥1, 𝑥2, 𝑦 → 𝑥1, 𝑥2, 𝑦 ⨁𝐸𝑛𝑐𝑘(𝑥𝑏)

𝒃

A C

A cannot output correct b with significantly bigger probability than guessing.

𝑥, 𝑦

𝑥, 𝑦 → 𝑥, 𝑦 ⨁𝐸𝑛𝑐𝑘(𝑥)

𝑥1, 𝑥2, 𝑦

fqIND is unachievable [BZ13]

22

fqIND is unachievable [BZ13]

23

fqIND is unachievable [BZ13]

24

[BZ13] & our contribution

25

[BZ13] & our contribution

26

How to define qIND-qCPA?

27

How to define qIND-qCPA?

28

How to define qIND-qCPA?

29

How to define qIND-qCPA?

30

Model: (O) vs (C)

31

(O) (C)

Model: (Q) vs (c)

32

(Q) (c)

Model: Type (1) vs type (2)

33

Type (1) Type (2)

Quantum indistinguishability (qIND)

34

Quantum indistinguishability (qIND)

35

Separation example

36

Separation example

37

Separation example

38

Impossibility result

39

Impossibility result

40

The attack

41

The attack

42

The attack

43

The attack

44

The attack

45

The attack

46

The attack

47

The solution

48

The solution

49

The solution

50

The solution

51

The solution

52

Secure Construction

53

Conclusion

54

https://eprint.iacr.org/2015/355

55

Thank you!

Questions?