On Quantum Chosen-Ciphertext Attacks and Learning with Errors

Quantum computing is a significant threat to classical public-key cryptography. In strong "quantum access" security models, numerous symmetric-key cryptosystems are also vulnerable. We consider classical encryption in a model which grants the adversary quantum oracle access to encryption and decryption, but where the latter is restricted to non-adaptive (i.e., pre-challenge) queries only. We define this model formally using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it QCCA1 in analogy to the classical CCA1 security model. Using a bound on quantum random-access codes, we show that the standard PRF-based encryption schemes are QCCA1-secure when instantiated with quantum-secure primitives. We then revisit standard IND-CPA-secure Learning with Errors (LWE) encryption and show that leaking just one quantum decryption query (and no other queries or leakage of any kind) allows the adversary to recover the full secret key with constant success probability. In the classical setting, by contrast, recovering the key requires a linear number of decryption queries. The algorithm at the core of our attack is a (large-modulus version of) the well-known Bernstein-Vazirani algorithm. We emphasize that our results should not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones.

[1]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[2]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[3]  FrodoKEM Learning With Errors Key Encapsulation Algorithm , 2017 .

[4]  Hidenori Kuwakado,et al.  Quantum distinguisher between the 3-round Feistel cipher and the random permutation , 2010, 2010 IEEE International Symposium on Information Theory.

[5]  N. Tomczak-Jaegermann The moduli of smoothness and convexity and the Rademacher averages of the trace classes $S_{p}$ (1≤p<∞) , 1974 .

[6]  Hidenori Kuwakado,et al.  Security on the quantum-type Even-Mansour cipher , 2012, 2012 International Symposium on Information Theory and its Applications.

[7]  Ashwin Nayak,et al.  Optimal lower bounds for quantum automata and random access codes , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[8]  Tommaso Gagliardoni,et al.  Semantic Security and Indistinguishability in the Quantum World , 2015, IACR Cryptol. ePrint Arch..

[9]  Daniel R. Simon,et al.  On the power of quantum computation , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[10]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[11]  Alexei Y. Kitaev,et al.  Quantum measurements and the Abelian Stabilizer Problem , 1995, Electron. Colloquium Comput. Complex..

[12]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[13]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[14]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[15]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[16]  María Naya-Plasencia,et al.  Breaking Symmetric Cryptosystems Using Quantum Period Finding , 2016, CRYPTO.

[17]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[18]  Sean Hallgren,et al.  An improved quantum Fourier transform algorithm and applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[19]  Christian Schaffner,et al.  Using Simon's algorithm to attack symmetric-key cryptographic primitives , 2016, Quantum Inf. Comput..

[20]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[21]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[22]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[23]  Mark Zhandry,et al.  A Note on Quantum-Secure PRPs , 2016, IACR Cryptol. ePrint Arch..

[24]  Stacey Jeffery,et al.  Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity , 2014, CRYPTO.

[25]  Mark Zhandry,et al.  How to Construct Quantum Random Functions , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[26]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[27]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[28]  Mark Zhandry,et al.  Quantum-Secure Message Authentication Codes , 2013, IACR Cryptol. ePrint Arch..

[29]  Iordanis Kerenidis,et al.  Learning with Errors is easy with quantum samples , 2017, Physical Review A.

[30]  Umesh V. Vazirani,et al.  Quantum Complexity Theory , 1997, SIAM J. Comput..

[31]  Maris Ozols,et al.  Quantum Random Access Codes with Shared Randomness , 2008, 0810.2937.

[32]  RegevOded On lattices, learning with errors, random linear codes, and cryptography , 2009 .

[33]  Nader H. Bshouty,et al.  Learning DNF over the uniform distribution using a quantum example oracle , 1995, COLT '95.