PQC Asia Forum Seoul, 2016
What are we talking about
when we talk about
post-quantum cryptography?
Fang Song
Portland State University
PQC Asia Forum Seoul, 2016
A personal view on postquantum cryptography &
a bite on quantum algorithms
Fang Song
Portland State University
How does cryptography
change
in a quantum world?
3
Triumph of modern cryptography
2015 A.M. Turing Award
Public-key
cryptography
Symmetric-key
cryptography
Cryptographic
protocols
• Digital signature: DSA, …
• Public-key encryption: RSA,
…
• Diffie-Hellmann key
• exchange
Block ciphers: AES
• Cryptographic hash function: SHA2, …
• Secure two/multi-party
computation
• e-voting, …
Cryptography: a pillar of security for
individuals, organizations and society!
4
Modern cryptography as a science
A formal framework: provable security
2012 ACM A.M. Turing Award
“… created mathematical structures that turned
cryptography from an art into a science.”
Crypto
scheme Σ
Hard problem Π
 Security Model
 Security Analysis (Proof)
• Breaking Σ is as hard as solving Π
 Computational assumption
• EX. Factoring & Discrete Log hard to solve
5
Into a quantum world: the dark cat rises
Physicists: quantum weirdness Computer scientists
Quantum superposition
1
2
(|ALIVE〉 + |DEAD〉)
Qubit
𝛼 0 + 𝛽|1 〉
Quantum Entanglement
• Non-classical correlation
“Spooky action at a distance”
– A. Einstein
Quantum
gates & circuits
6
How does cryptography
change
in a quantum world?
7
Quantum attacks 1: break classical foundation
✗Broken!
 Computational assumption
Factoring/DL ✗ • Factoring & Discrete Log hard to solve
Public-key crypto
(DSA, RSA,DH,…)
Quantum computer can solve them , fast!
a
a[Shor94]
Need: alternative problems to build crypto on
• Exciting progress: lattice-based, code-based, …
Question: are the new problems hard
for classical & quantum computers?
Is this all we need to
worry about?
8
Quantum attacks 2: invalidate classical framework
Crypto
schemes
Lattices, …
?
✗
 Security Model
 Security Analysis
 Computational assumption:
hard for quantum computer
Alert: unique quantum attacks
This can happen now!
∃ information-theoretically secure protocol
(Technology available)
Brokenb by quantum entanglement! (vs. shared
b[CSST11]
randomness)
Need: quantum provable-security framework
Re-examine EVERY link against quantum attackers
 Largely missing in PQC research…
9
Any quantum ingredient could be a threat
Task
I
II
Run quantum
factoring
algorithm
(to break public
key crypto)
Need
Availability
Full-scale fault-tolerant
QC
2017?
2013
Ex. Quantum entanglement
Quantum
attack classical
crypto
Available now
10
How does cryptography change in
a quantum world?
Post-Quantum Cryptography
Hard problems broken
Security framework fail
Construct on new problems
Analyze Security against
quantum adv
Quantum Cryptography
Outperform classical protocols
• Ex. Quantum key distribution
Crypto tools for quantum tasks
• Ex. Encrypt quantum data
NB. Many already available (even as commercial products)
11
This Talk
1 Quantum algorithms
• A recent breakthrough: quantum algorithm for high-degree
number fields
Application: break some lattice crypto!
• The Hidden Subgroup Problem & Quantum Fourier
Sampling
2 Examples: classical security framework inadequate
• Quantum Rewinding
• Quantum random oracle model
• Quantum attack on symmetric crypto
12
exponentially
Which problems admit faster |quantum〉
algorithms than classical algorithms?
∃ Poly-time quantum algorithms for:
Factoring and discrete logarithm [Shor’94]
Basic problems in
algebraic number
theory
Constant degree
number fields
Arbitrary degree
Unit group
Principal
Class group
ideal problem
[Hallgren’02’05,SV05]
[EHKS’STOC14]
[BS’SODA16]
Best known classical algorithms need
(at least) sub-exponential time
13
Our quantum algorithms for
Unit group, Principal ideal problem
Break several lattice-based cryptosystems
believed quantum safe before
𝐿
14
Breaking some lattice crypto
 For efficiency, often use problems in lattices w/ more structures
Short-PIP
Ring-LWE
?
…
Bad news: Short-PIP based cryptosystems are broken!
Our quantum alg’s
find A generator
FHEc, Multilinear
mappingd, PKE by
GCHQe... broken
Find a short
PIP
generator of Short-PIP
a principal
Classical procedure: reduce size
ideal lattice
of generator in cyclotomic
fieldse,f
cSmartV10
dGargGH13
eCampellGS15
fCramerDPR15
Find A
generator of a
principal ideal
lattice
15
How do quantum computers
solve these problems?
16
The Hidden Subgroup Problem (HSP) framework
INPUT
Reduction
Problem Π
Quantum Algorithm
OUTPUT
Solution to Π
HSP on a
group 𝐺
Captures most quantum exponential speedup
 Standard Def.: HSP on finite group 𝐺
𝑓
𝐺
𝑆
Given: oracle function 𝑓: 𝐺 → 𝑆, s.t. ∃ 𝐻 ≤ 𝐺,
𝐻
𝑥+𝐻
𝑧+𝐻
•
𝑠0
𝑠1
𝑠𝑘
1. (Periodic on 𝐻)
𝑥−𝑦 ∈𝐻 ⇒𝑓 𝑥 =𝑓 𝑦
2. (Injective on 𝐺/𝐻)
𝑥−𝑦 ∉𝐻 ⇒𝑓 𝑥 ≠𝑓 𝑦
Goal: Find (hidden subgroup) 𝐻.
Continuous 𝔾 (e.g. ℝ𝑛 ) tricky, but we can handle
[EHKS14]
17
Interesting HSP instances
Computational Problems
HSP on G
Factoring
Discrete logarithm
ℤ
ℤ𝑁 × ℤ𝑁
Number fields (PIP etc.)
ℝ𝑂(𝑛)
Simon’s problem (Crypto app
later)
Graph isomorphism
Unique shortest vector problem
Abelian groups
∃ efficient quantum
algs
ℤ𝑛2
Symmetric group
Dihedral group
Non-abelian
Open question:
? efficient quantum
algs
18
Solving HSP: quantum Fourier sampling
Given: oracle 𝑓: 𝐺 → 𝑆 periodic on 𝐻 & …
Real Domain
ℱℤ𝑁
𝐺 = 𝑍𝑁
0
Fourier Spectrum
𝑟
𝑁/𝑟 2𝑁/𝑟
Noise becomes
intolerable as
dimension grows!
𝐺=ℤ
−𝑟
0
𝑟
−𝑟
0
𝑟
2.
Quantum Fourier Sampling:
• Quantum Fourier transform &
measure
Recover 𝐻 from samples
Old method for ℝ𝑐𝑜𝑛𝑠𝑡𝑎𝑛𝑡
• Discretize & Truncate
• Reduce to finite 𝐺
Our method for continuous ℝ𝑚
ℱℝ
𝐺=ℝ
Standard method for finite 𝐺
1.
0
𝑁−1
Goal: find 𝐻
• Informal: try to approx. sample
the ideal Fourier spectrum
directly!
−1/𝑟 0 1/𝑟
19
This Talk
1 Quantum algorithms
• A recent breakthrough: quantum algorithm for high-degree
number fields
Application: break some lattice crypto!
• The Hidden Subgroup Problem & Quantum Fourier
Sampling
2 Examples: classical security framework inadequate
• Quantum Rewinding
• Quantum random oracle model
• Quantum attack on symmetric crypto
20
Recall: classical security framework fails
 Security model inadequate for quantum attackers
✗
Crypto
?
Quantum security models:
Still at early stage
scheme Σ
Quantum hard
problem Π
 Classical proofs can fail against quantum attackers
✗
Many
PostQuantumC only
consider classical
attackers in proofs
See more in [Song’PQC14]
Lattice 𝐿
Short
vector
𝐵
𝐴 breaks
Encryption
?
Assume attacker 𝐴 breaks scheme Σ,
 Construct 𝐵 from 𝐴 solving hard problem Π.
21
I. Difficulty of quantum rewinding
 Rewinding argument
• Take snapshot of an adversary & continue
• Later “rewind” & restart from snapshot
𝐵
𝐴
𝐴
?
 Rewinding quantum adversary difficult
• Cannot copy unknown quantum state
• Information gain  disturbance on stateOnly special cases
possibleg
g[Watrous09
Quantum security of many classical protocols unclear ]
 Not often seen in PQC literature?
• Usually does not affect analysis of encryption, signature, …
• But does matter: e.g. Quantum-secure Identification scheme
(to get signature by Fiat-Shamir)
22
II. Hash function: common heuristic fails?
 Hash functions are everywhere:
Signature, message
authentication, key derivation,
bitcoin,…
 The Random Oracle (RO) heuristic widely used
• “Lazy” sampling: decide 𝐻 ⋅ on-the-fly
• Program RO: change 𝐻(⋅) adaptively
• Ease security proof of hash-based schemes
(otherwise impossible)
 Quantum-accessible Random Oracle
𝑥
𝐻(𝑥)
Hash Function
𝐻
• Nothing appears to work…
Σ𝑥 |𝑥〉
• A lot exciting developement restoring classical proofs
Σ𝑥 𝑥 |𝐻 𝑥 〉
23
III. Quantum attacking symmetric crypto
3-round Feistel Cipher
CBC-MAC
…
[KM10]
[KLL+16]
[SS’16]
Simon’s Problem
≡
HSP on ℤ𝑛2
Easy on a quantum computer
Broken!?
 These attacks need specific* quantum model
• Assume attackers have QUANTUM access to the
SECRET enc/auth algorithm
* In my opinion
unrealistic but
still possible
 Quantum random oracle is more justified
• Hash functions are public, any (quantum) user can implement it quantumly
24
Concluding Remarks
How does cryptography change in a quantum world?
Post-Quantum Cryptography
Hard problems broken
Security framework fail
Construct on new problems
Analyze Security against
quantum adv
Need more study on
(quantum) hardness
Be aware and cautious!
Many issues unclear
Quantum Cryptography
Possible complement
25
I’m hiring
 2-3 PhD students to work on
• Quantum algorithms
• Analyzing quantum security of classical crypto
• Quantum crypto
 Maybe 1 Post-doc too
 Get in touch if interested
 Young but strong in
• Check my webpage for more: fangsong.info
• Email: [email protected]
• Programming language, machine learning,
vision, …
• Portland is absolutely nice in many ways~
Thank you!
26