Advances in Cryptology – ASIACRYPT 2017

In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will compromise the security of many commonly used cryptographic algorithms. In particular, quantum computers would completely break many public-key cryptosystems, including those standardized by NIST and other standards organizations. Due to this concern, many researchers have begun to investigate postquantum cryptography (also called quantum-resistant cryptography). The goal of this research is to develop cryptographic algorithms that would be secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. A significant effort will be required to develop, standardize, and deploy new post-quantum algorithms. In addition, this transition needs to take place well before any large-scale quantum computers are built, so that any information that is later compromised by quantum cryptanalysis is no longer sensitive when that compromise occurs. NIST has taken several steps in response to this potential threat. In 2015, NIST held a public workshop and later published NISTIR 8105, Report on Post-Quantum Cryptography, which shares NIST’s understanding of the status of quantum computing and post-quantum cryptography. NIST also decided to develop additional public-key cryptographic algorithms through a public standardization process, similar to the development processes for the hash function SHA-3 and the Advanced Encryption Standard (AES). To begin the process, NIST issued a detailed set of minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms, available at http:// www.nist.gov/pqcrypto. The deadline for algorithms to be submitted was November 30, 2017. In this talk, I will share the rationale on the major decisions NIST has made, such as excluding hybrid and (stateful) hash-based signature schemes. I will also talk about some open research questions and their potential impact on the standardization effort, in addition to some of the practical issues that arose while creating the API. Finally, I will give some preliminary information about the submitted algorithms, and discuss what we’ve learned during the first part of the standardization process. Combinatorics in Information-Theoretic Cryptography

[1]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[2]  Hidenori Kuwakado,et al.  Quantum distinguisher between the 3-round Feistel cipher and the random permutation , 2010, 2010 IEEE International Symposium on Information Theory.

[3]  Helger Lipmaa,et al.  Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[4]  Samuel Kutin,et al.  Quantum Lower Bound for the Collision Problem with Small Range , 2005, Theory Comput..

[5]  Lov K. Grover Trade-offs in the quantum search algorithm , 2002 .

[6]  Martin Rötteler,et al.  Post-Quantum Cryptography , 2015, Lecture Notes in Computer Science.

[7]  Michele Mosca,et al.  Estimating the Cost of Generic Quantum Pre-image Attacks on SHA-2 and SHA-3 , 2016, SAC.

[8]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[9]  J. Pollard A monte carlo method for factorization , 1975 .

[10]  Lov K. Grover,et al.  How significant are the known collision and element distinctness quantum algorithms? , 2004, Quantum Inf. Comput..

[11]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[12]  Gilles Brassard,et al.  Merkle Puzzles in a Quantum World , 2011, CRYPTO.

[13]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[14]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[15]  Dominique Unruh,et al.  Post-Quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation , 2016, PQCrypto.

[16]  Hidenori Kuwakado,et al.  Security on the quantum-type Even-Mansour cipher , 2012, 2012 International Symposium on Information Theory and its Applications.

[17]  Marc Kaplan,et al.  Quantum attacks against iterated block ciphers , 2014, ArXiv.

[18]  Karthikeyan Bhargavan,et al.  On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[19]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[20]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[21]  Daniel J. Bernstein,et al.  Low-Communication Parallel Quantum Multi-Target Preimage Search , 2017, SAC.

[22]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[23]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[24]  Andris Ambainis,et al.  Polynomial Degree and Lower Bounds in Quantum Complexity: Collision and Element Distinctness with Small Range , 2003, Theory Comput..

[25]  Ivan Damgård,et al.  Superposition Attacks on Cryptographic Protocols , 2011, ICITS.

[26]  David A. McGrew,et al.  Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes , 2012, IACR Cryptol. ePrint Arch..

[27]  Antoine Joux,et al.  Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE , 2014, ASIACRYPT.

[28]  Gilles Brassard,et al.  Quantum Cryptanalysis of Hash and Claw-Free Functions , 1998, LATIN.

[29]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[30]  María Naya-Plasencia,et al.  An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography , 2017, ASIACRYPT.

[31]  Paul C. van Oorschot,et al.  Parallel collision search with application to hash functions and discrete logarithms , 1994, CCS '94.

[32]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[33]  Anne Canteaut,et al.  PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications (Full version) , 2012, IACR Cryptol. ePrint Arch..

[34]  María Naya-Plasencia,et al.  Breaking Symmetric Cryptosystems Using Quantum Period Finding , 2016, CRYPTO.

[35]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[36]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[37]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[38]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[39]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[40]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[41]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[42]  Tommaso Gagliardoni,et al.  Semantic Security and Indistinguishability in the Quantum World , 2015, IACR Cryptol. ePrint Arch..

[43]  Mark Zhandry,et al.  A note on the quantum collision and set equality problems , 2013, Quantum Inf. Comput..

[44]  Daniel R. Simon,et al.  On the Power of Quantum Cryptography , 1994, FOCS 1994.

[45]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[46]  D. Bernstein Cost analysis of hash collisions : will quantum computers make SHARCS obsolete? , 2009 .

[47]  Thierry Paul,et al.  Quantum computation and quantum information , 2007, Mathematical Structures in Computer Science.

[48]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[49]  María Naya-Plasencia,et al.  Quantum Differential and Linear Cryptanalysis , 2015, IACR Trans. Symmetric Cryptol..

[50]  Andris Ambainis,et al.  Quantum walk algorithm for element distinctness , 2003, 45th Annual IEEE Symposium on Foundations of Computer Science.

[51]  Scott Aaronson,et al.  Quantum lower bounds for the collision and the element distinctness problems , 2004, JACM.