Quantum Security of Cryptographic Primitives

We call quantum security the area of IT security dealing with scenarios where one or more parties have access to quantum hardware. This encompasses both the fields of post-quantum cryptography (that is, traditional cryptography engineered to be resistant against quantum adversaries), and quantum cryptography (that is, security protocols designed to be natively run on a quantum infrastructure, such as quantum key distribution). Moreover, there exist also hybrid models, where traditional cryptographic schemes are somehow `mixed' with quantum operations in certain scenarios. Even if a fully-fledged, scalable quantum computer has yet to be built, recent results and the pace of research in its realization call for attention, lest we suddenly find ourselves one day with an obsolete security infrastructure. For this reason, in the last two decades research in quantum security has experienced an exponential growth in interest and investments. In this work, we propose the first systematic classification of quantum security scenarios, and for each of them we recall the main tools and results, as well as presenting new ones. We achieve this goal by identifying four distinct quantum security classes, or domains, each of them encompassing the security notions and constructions related to a particular scenario. We start with the class QS0, which is `classical cryptography' (meaning that no quantum scenario is considered), where we present some classical constructions and results as a preliminary step. Regarding post-quantum cryptography, we introduce the class QS1, where we discuss in detail the problems arising when designing a classical cryptographic object meant to be resistant against adversaries with local quantum computing power, and we provide a classification of the possible quantum security reductions in this scenario when considering provable security. Moreover, we present results about the quantum security and insecurity of the Fiat-Shamir transformation (a useful tool used to turn interactive identification schemes into digital signatures), and ORAMs (protocols used to outsource a database in a private way). In respect to hybrid classical-quantum models, in the security class QS2 we discuss in detail the possible scenarios where these scenarios arise, and what a correct formalization should be in terms of quantum oracle access. We also provide a novel framework for the quantum security (both in terms of indistinguishability and semantic security) of secret-key encryption schemes, and we give explicit secure constructions, as well as impossibility results. Finally, in the class QS3 we consider all those cryptographic constructions designed to run natively on quantum hardware. We give constructions for quantum encryption schemes (both in the secret- and public-key scenario), and we introduce transformations for obtaining such schemes by conceptually simpler schemes from the class QS2. Moreover, we introduce a quantum version of ORAM, called quantum ORAM (QORAM), aimed at outsourcing in a private way a database composed of quantum data. In proposing a suitable security model and an explicit construction for QORAMs, we also introduce a technique of independent interest which models a quantum adversary able to extract information from a quantum system without disturbing it `too much'. We believe that the framework we introduce in this work will be a valuable tool for the scientific community in addressing the challenges arising when formalizing sound constructions and notions of security in the quantum world.

[1]  Daniel A. Lidar,et al.  Reexamining classical and quantum models for the D-Wave One processor , 2014, 1409.3827.

[2]  Hidenori Kuwakado,et al.  Quantum distinguisher between the 3-round Feistel cipher and the random permutation , 2010, 2010 IEEE International Symposium on Information Theory.

[3]  Paul C. van Oorschot,et al.  White-Box Cryptography and an AES Implementation , 2002, Selected Areas in Cryptography.

[4]  V. Roychowdhury,et al.  Optimal encryption of quantum bits , 2000, quant-ph/0003059.

[5]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[6]  Francisco Marcos de Assis,et al.  Quantum attacks on pseudorandom generators , 2013, Math. Struct. Comput. Sci..

[7]  Stephen Wiesner,et al.  Conjugate coding , 1983, SIGA.

[8]  Tommaso Gagliardoni,et al.  The Fiat-Shamir Transformation in a Quantum World , 2013, IACR Cryptol. ePrint Arch..

[9]  Umesh V. Vazirani,et al.  Quantum complexity theory , 1993, STOC.

[10]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[11]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[12]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[13]  Ivan Damgård,et al.  Superposition Attacks on Cryptographic Protocols , 2011, ICITS.

[14]  Gilles Brassard,et al.  Quantum cryptography: Public key distribution and coin tossing , 2014, Theor. Comput. Sci..

[15]  Joseph Fitzsimons,et al.  Composable Security of Delegated Quantum Computation , 2013, ASIACRYPT.

[16]  Scott Aaronson,et al.  Quantum Copy-Protection and Quantum Money , 2009, 2009 24th Annual IEEE Conference on Computational Complexity.

[17]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[18]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[19]  Stacey Jeffery,et al.  Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity , 2014, CRYPTO.

[20]  Elham Kashefi,et al.  Comparison of quantum oracles , 2002 .

[21]  R. Feynman Simulating physics with computers , 1999 .

[22]  Stefan Katzenbeisser,et al.  ORAMs in a Quantum World , 2017, PQCrypto.

[23]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[24]  Fang Song,et al.  A Note on Quantum Security for Post-Quantum Cryptography , 2014, PQCrypto.

[25]  Mark Zhandry,et al.  Quantum-Secure Message Authentication Codes , 2013, IACR Cryptol. ePrint Arch..

[26]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[27]  Elaine Shi,et al.  Towards Practical Oblivious RAM , 2011, NDSS.

[28]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[29]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[30]  Christian Schaffner,et al.  Using Simon's algorithm to attack symmetric-key cryptographic primitives , 2016, Quantum Inf. Comput..

[31]  John Watrous,et al.  Zero-knowledge against quantum attacks , 2005, STOC '06.

[32]  Mark Zhandry,et al.  How to Construct Quantum Random Functions , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[33]  Mark Zhandry,et al.  New Security Notions and Feasibility Results for Authentication of Quantum Data , 2016, CRYPTO.

[34]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[35]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[36]  Alexander Russell,et al.  Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts , 2016, EUROCRYPT.

[37]  Dominique Unruh,et al.  Post-Quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation , 2016, PQCrypto.

[38]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[39]  Hidenori Kuwakado,et al.  Security on the quantum-type Even-Mansour cipher , 2012, 2012 International Symposium on Information Theory and its Applications.

[40]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[41]  John Watrous,et al.  Quantum algorithms for solvable groups , 2000, STOC '01.

[42]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[43]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[44]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[45]  Gilles Brassard,et al.  Quantum cryptanalysis of hash and claw-free functions , 1997, SIGA.

[46]  Adam D. Smith,et al.  Classical Cryptographic Protocols in a Quantum World , 2011, IACR Cryptol. ePrint Arch..

[47]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[48]  Adam D. Smith,et al.  Authentication of quantum messages , 2001, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[49]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[50]  Andris Ambainis,et al.  Private quantum channels , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[51]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[52]  Dominique Unruh Everlasting Multi-party Computation , 2018, Journal of Cryptology.

[53]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[54]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[55]  Christian Schaffner,et al.  Quantum cryptography beyond quantum key distribution , 2015, Designs, Codes and Cryptography.

[56]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[57]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 1: Basic Techniques , 2001 .

[58]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[59]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[60]  Silvio Micali,et al.  How to Construct Random Functions (Extended Abstract) , 1984, FOCS.

[61]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[62]  Jan Camenisch,et al.  Fully Anonymous Attribute Tokens from Lattices , 2012, SCN.

[63]  Tommaso Gagliardoni,et al.  Semantic Security and Indistinguishability in the Quantum World , 2015, IACR Cryptol. ePrint Arch..

[64]  Daniel R. Simon,et al.  On the power of quantum computation , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[65]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[66]  P. Coveney,et al.  Scalable Quantum Simulation of Molecular Energies , 2015, 1512.06860.

[67]  Maika Takita,et al.  Demonstration of Weight-Four Parity Measurements in the Surface Code Architecture. , 2016, Physical review letters.

[68]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[69]  Sanjam Garg,et al.  TWORAM: Efficient Oblivious RAM in Two Rounds with Applications to Searchable Encryption , 2016, CRYPTO.

[70]  Dominique Unruh,et al.  Quantum Proofs of Knowledge , 2012, IACR Cryptol. ePrint Arch..

[71]  Mihir Bellare,et al.  Practice-Oriented Provable-Security , 1997, ISW.

[72]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[73]  Pooya Farshim,et al.  Random-Oracle Uninstantiability from Indistinguishability Obfuscation , 2015, TCC.

[74]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[75]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[76]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[77]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[78]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[79]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[80]  María Naya-Plasencia,et al.  Breaking Symmetric Cryptosystems Using Quantum Period Finding , 2016, CRYPTO.

[81]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[82]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[83]  A. D. Santis,et al.  Zero-Knowledge Proofs of Knowledge Without Interaction (Extended Abstract) , 1992, FOCS 1992.

[84]  I. Chuang,et al.  Quantum Computation and Quantum Information: Introduction to the Tenth Anniversary Edition , 2010 .

[85]  Tommaso Gagliardoni,et al.  Computational Security of Quantum Encryption , 2016, ICITS.

[86]  Gilles Brassard,et al.  Strengths and Weaknesses of Quantum Computing , 1997, SIAM J. Comput..

[87]  Ling Ren,et al.  Path ORAM , 2012, J. ACM.

[88]  Fang Song,et al.  Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model , 2015, IACR Cryptol. ePrint Arch..