symmetric key cryptographystek/slides/pqsymcrypt2.pdf · symmetric key cryptography ... •...
TRANSCRIPT
![Page 1: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/1.jpg)
Symmetric Key CryptographyPQCRYPTO Summer School on Post-QuantumCryptography 2017
Stefan KölblJune 20th, 2017
DTU Compute, Technical University of Denmark
![Page 2: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/2.jpg)
Introduction to Symmetric KeyCryptography
![Page 3: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/3.jpg)
Symmetric Key Cryptography
What can we do?• Encryption• Authentication (MAC)• Hashing• Random Number Generation• Digital Signature Schemes• Key Exchange
1
![Page 4: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/4.jpg)
Authentication
![Page 5: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/5.jpg)
Authentication
Message Authentication Code (MAC)
Message TagMAC
Key
• Produces a tag• Provide both authenticity and integrity• It should be hard to forge a valid tag.• Similar to hash but has a key• Similar to digital signature but same key
2
![Page 6: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/6.jpg)
Authentication
MAC Algorithm
• Block Cipher Based (CBC-MAC)• Hash-based (HMAC, Sponge)• Universal Hashing (UMAC, Poly1305)
3
![Page 7: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/7.jpg)
Authentication
CBC-MAC
0
M1
EK
M2
EK
Mi
T
EK
4
![Page 8: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/8.jpg)
Authentication
Hash-based:
• H(k || m)
• Okay with Sponge, fails with MD construction.
• H(m || k)• Collision on H allows to construct Tag collision.
• HMAC: H(k⊕ c1∥| H(k⊕ c2||m))
5
![Page 9: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/9.jpg)
Authentication
Universal Hashing (UMAC, Poly1305, …)
• We need a universal hash function family H.• Parties share a secret member of H and key k.• Attacker does not know which one was chosen.
DefinitionA set H of hash functions h : U→ N is universal iff ∀x, y ∈ U:
Prh∈H
(h(x) = h(y)) ≤ 1|N|
when h is chosen uniformly at random.
6
![Page 10: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/10.jpg)
Authenticated Encryption
In practice we always want Authenticated Encryption
• Encryption does not protect against malicious alterations.• WEP [TWP07]• Plaintext recovery OpenSSH [APW09]• Recover TLS cookies [DR11]
ProblemLot of things can go wrong when combining encryption andauthentication.
Note: This can allow to recover plaintext, forge messages...
7
![Page 11: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/11.jpg)
Authenticated Encryption [BN00]
Encrypt-and-MAC
Message
Ciphertext Tag
MACK′EK
8
![Page 12: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/12.jpg)
Authenticated Encryption [BN00]
MAC-then-Encrypt
Message
Message
Ciphertext
Tag
MACK′
EK
9
![Page 13: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/13.jpg)
Authenticated Encryption [BN00]
Encrypt-then-MAC
Message
EK
Ciphertext
Ciphertext
MACK′
Tag
10
![Page 14: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/14.jpg)
Authenticated Encryption
You have to be careful!
CTR-Mode
N || 1
EK
M1
C1
N || 2
EK
M2
C2
N || 3
EK
M3
C3
CBC-MAC
0
M1
EK
M2
EK
Mi
T
EK
11
![Page 15: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/15.jpg)
Authenticated Encryption
Authenticated Encryption with Associated Data (AEAD)
A1, . . . ,AmM1, . . . ,Ml
NAE C1, . . . , Cm
T
• Associcated Data A (e.g. packet header)• Nonce N (unique number)
12
![Page 16: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/16.jpg)
Authenticated Encryption
Galois/Counter Mode (GCM)
N||1
EK
M1
C1
N||2
EK
M2
C2
…
N||l
EK
Ml
ClA1, . . . ,Am m || l
T
0
EK
H
N||0
EK
×H ×H ×H ×H ×H
13
![Page 17: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/17.jpg)
Authenticated Encryption
Galois/Counter Mode (GCM)
N||1
EK
M1
C1
N||2
EK
M2
C2
…
N||l
EK
Ml
Cl
A1, . . . ,Am m || l
T
0
EK
H
N||0
EK
×H ×H ×H ×H ×H
13
![Page 18: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/18.jpg)
Authenticated Encryption
Galois/Counter Mode (GCM)
N||1
EK
M1
C1
N||2
EK
M2
C2
…
N||l
EK
Ml
ClA1, . . . ,Am m || l
T
0
EK
H
N||0
EK
×H ×H ×H ×H ×H
13
![Page 19: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/19.jpg)
Authenticated Encryption
AES-GCM
• Widely used (TLS)• Reusing nonce compromises security• Weak keys for ×H• Hardware support for AES + PCLMULQDQ• AES-GCM-SIV?
14
![Page 20: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/20.jpg)
Authenticated Encryption
CAESAR1: Competition for Authenticated Encryption: Security,Applicability, and Robustness
• Initially 57 submissions.• Third round: 15 Submissions left• Goal is to have a portfolio of AE schemes
SummaryMost applications need Authenticated Encryption!
1https://competitions.cr.yp.to/caesar.html
15
![Page 21: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/21.jpg)
Quantum Attacks
![Page 22: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/22.jpg)
Quantum Attacks
Attack Model
• Attacker listens to communication over classical channel.• Can query a classic blackbox with the secret key.• Attacker has large quantum computer.• Only limited set of quantum algorithms available.
16
![Page 23: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/23.jpg)
Quantum Attacks
Encryption / MACs
• Recover Key in O(2k/2) with Grover’s.
Hash Function
• Find Preimage in O(2n/2) with Grover’s.• Find Collisions in O(2n/3) [BHT97] ... but needs O(2n/3) hardware.
17
![Page 24: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/24.jpg)
Quantum Attacks
The costs are not so simple
• Costs of quantum operation vs. classic operations• Collision finding not really faster [Ber09].
There is some work on better understanding this:
• Preimage SHA-256: 2166 logical-qubit-cycles [Amy+16].• Preimage SHA3-256: 2166 logical-qubit-cycles [Amy+16].
18
![Page 25: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/25.jpg)
Quantum Attacks
Even-Mansour
• Two keys k1, k2.• Uses public permutation π.
πp c
k1 k2
Classic Security
• D queries to E• T queries to π
• Proof for upper bound on attack success O(DT/2n)
19
![Page 26: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/26.jpg)
Quantum Attacks
Quantum Oracle Access to encryption algorithm
|x⟩
|0⟩
|x⟩
|EK(x)⟩EK
• Very strong model for adversary.
20
![Page 27: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/27.jpg)
Quantum Attacks
Simon’s AlgorithmGiven
f : {0, 1}n → {0, 1}n
with promise that there exists
s ∈ {0, 1}n
such that
∀(x, y) ∈ {0, 1}n : f(x) = f(y) ⇐⇒ x⊕ y ∈ {0n, s}
Output: s
Only needs O(n) quantum queries.
21
![Page 28: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/28.jpg)
Simon’s Algorithm
Circuit
|0⟩
|0⟩
f(z)
vH⊗n
f
H⊗n
|0n⟩|0n⟩
ResultOne steps finds a vector such that y · s = 0.
22
![Page 29: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/29.jpg)
Simon’s Algorithm
Circuit
|0⟩
|0⟩
f(z)
vH⊗n
f
H⊗n
1√2n
∑x|x⟩|0n⟩
ResultOne steps finds a vector such that y · s = 0.
22
![Page 30: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/30.jpg)
Simon’s Algorithm
Circuit
|0⟩
|0⟩
f(z)
vH⊗n
f
H⊗n
1√2n
∑x|x⟩|f(x)⟩
ResultOne steps finds a vector such that y · s = 0.
22
![Page 31: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/31.jpg)
Simon’s Algorithm
Circuit
|0⟩
|0⟩
f(z)
vH⊗n
f
H⊗n
1√2|z⟩+ 1√
2|z⊕ s⟩
ResultOne steps finds a vector such that y · s = 0.
22
![Page 32: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/32.jpg)
Simon’s Algorithm
Circuit
|0⟩
|0⟩
f(z)
vH⊗n
f
H⊗n
1√2
1√2n
∑y(−1)y·z(1+ (−1)y·s)|y⟩
ResultOne steps finds a vector such that y · s = 0.
22
![Page 33: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/33.jpg)
Simon’s Algorithm
Circuit
|0⟩
|0⟩
f(z)
vH⊗n
f
H⊗n
1√2
1√2n
∑y(−1)y·z(1+ (−1)y·s)|y⟩
ResultOne steps finds a vector such that y · s = 0.
22
![Page 34: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/34.jpg)
Quantum
Breaking Even-Mansour [KM12]
Ek1,k2(x) = π(x⊕ k1)⊕ k2
Construct:
f : {0, 1}n → {0, 1}n
x→ Ek1,k2(x)⊕ π(x) = π(x⊕ k1)⊕ k2 ⊕ π(x)
This function fulfills Simon’s promise:
f(x) = π(x⊕ k1)⊕ k2 ⊕ π(x)f(x⊕ k1) = π(x⊕ k1 ⊕ k1)⊕ k2 ⊕ π(x⊕ k1)
Recover k1 with O(n) quantum queries.
23
![Page 35: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/35.jpg)
Quantum
Breaking Even-Mansour [KM12]
Ek1,k2(x) = π(x⊕ k1)⊕ k2
Construct:
f : {0, 1}n → {0, 1}n
x→ Ek1,k2(x)⊕ π(x) = π(x⊕ k1)⊕ k2 ⊕ π(x)
This function fulfills Simon’s promise:
f(x) = π(x⊕ k1)⊕ k2 ⊕ π(x)f(x⊕ k1) = π(x)⊕ k2 ⊕ π(x⊕ k1)
Recover k1 with O(n) quantum queries.
23
![Page 36: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/36.jpg)
Quantum
Breaking Even-Mansour [KM12]
Ek1,k2(x) = π(x⊕ k1)⊕ k2
Construct:
f : {0, 1}n → {0, 1}n
x→ Ek1,k2(x)⊕ π(x) = π(x⊕ k1)⊕ k2 ⊕ π(x)
This function fulfills Simon’s promise:
f(x) = π(x⊕ k1)⊕ k2 ⊕ π(x)f(x⊕ k1) = π(x⊕ k1)⊕ k2 ⊕ π(x)
Recover k1 with O(n) quantum queries.
23
![Page 37: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/37.jpg)
Quantum Attacks
Similar attacks [Kap+16] apply to
• Block Cipher Modes• MACs• Authenticated Encryption• Improving Slide Attacks
GoalConstruct f such that f(x) = f(x⊕ s) for some secret s.
24
![Page 38: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/38.jpg)
Quantum Attacks
Similar attacks [Kap+16] apply to
• Block Cipher Modes• MACs• Authenticated Encryption• Improving Slide Attacks
GoalConstruct f such that f(x) = f(x⊕ s) for some secret s.
24
![Page 39: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/39.jpg)
Current Directions in SymmetricKey Cryptography
![Page 40: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/40.jpg)
Symmetric Key Cryptography
Lightweight Cryptography• Resource constraint
• Chip area• Memory• Computing Power• Power/Energy
• NIST Project5
• Many designs exists
ServerLaptop / DesktopSmartphonesSmart devicesMicrocontrollersFPGAASICRFID / Sensor Networks
ComputingPower
Lightweight
Standard
1https://beta.csrc.nist.gov/projects/lightweight-cryptography
25
![Page 41: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/41.jpg)
Symmetric Key Cryptography
Hash-based Signatures:• Many calls to a hashfunction...
• ...but only very short inputs.• No collision resistancerequired
Current Designs:• Often slow on short inputs.• Too conservative for thisrestricted setting?
• Designs: ChaCha inSPHINCS, Haraka [Köl+]
f f f
26
![Page 42: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/42.jpg)
Symmetric Key Cryptography
Multiparty Computation, Zero Knowledge, Fully HomomorphicEncryption
• Multiplications in primitives very costly for these applications.• Signature size directly relates to number of ANDs (for ZK).
Symmetric Key Primitives which:
• Minimize number of ANDs• Minimize circuit depth• Examples: LowMC [Alb+15], MiMC [Alb+16], Kreyvium [Can+16],Flip [Méa+16]
27
![Page 43: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/43.jpg)
Conclusion
Symmetric Key Cryptography
• Encryption: AES-CTR• Hash: SHA-2, SHA-3• Authenticated Encryption: AES-GCM, ChaCha20-Poly1305, CAESAR
Quantum Attacks
• Mostly fine with double the parameter sizes.• Improve cryptanalytic attacks with quantum algorithms.
1Thanks to https://www.iacr.org/authors/tikz/ for some of the figures.
28
![Page 44: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/44.jpg)
Questions?
28
![Page 45: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/45.jpg)
References i
Martin R. Albrecht, Kenneth G. Paterson, and Gaven J. Watson. “PlaintextRecovery Attacks against SSH”. In: 30th IEEE Symposium on Security andPrivacy (S&P 2009). 2009, pp. 16–26.
Martin R. Albrecht et al. “Ciphers for MPC and FHE”. In: Advances inCryptology - EUROCRYPT 2015. 2015, pp. 430–454.
Martin R. Albrecht et al. “MiMC: Efficient Encryption and CryptographicHashing with Minimal Multiplicative Complexity”. In: Advances inCryptology - ASIACRYPT 2016. 2016, pp. 191–219.
Matthew Amy et al. Estimating the cost of generic quantum pre-imageattacks on SHA-2 and SHA-3. Cryptology ePrint Archive, Report 2016/992.http://eprint.iacr.org/2016/992. 2016.
Gilles Brassard, Peter Høyer, and Alain Tapp. “Quantum cryptanalysis ofhash and claw-free functions”. In: SIGACT News 28.2 (1997), pp. 14–19.
29
![Page 46: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/46.jpg)
References ii
Mihir Bellare and Chanathip Namprempre. “Authenticated Encryption:Relations among Notions and Analysis of the Generic CompositionParadigm”. In: Advances in Cryptology - ASIACRYPT 2000. 2000, pp. 531–545.
Daniel J Bernstein. “Cost analysis of hash collisions: Will quantumcomputers make SHARCS obsolete?”. In: SHARCS’09 Special-purposeHardware for Attacking Cryptographic Systems (2009), p. 105.
Anne Canteaut et al. “Stream Ciphers: A Practical Solution for EfficientHomomorphic-Ciphertext Compression”. In: Fast Software Encryption -23rd International Conference, FSE 2016. 2016, pp. 313–333.
Thai Duong and Juliano Rizzo. “Cryptography in the Web: The Case ofCryptographic Design Flaws in ASP.NET”. In: 32nd IEEE Symposium onSecurity and Privacy, S&P 2011. 2011, pp. 481–489.
Hidenori Kuwakado and Masakatu Morii. “Security on the quantum-typeEven-Mansour cipher”. In: Proceedings of the International Symposium onInformation Theory and its Applications, ISITA 2012. 2012, pp. 312–316.
30
![Page 47: Symmetric Key Cryptographystek/slides/pqsymcrypt2.pdf · Symmetric Key Cryptography ... • Encryption:AES-CTR • Hash:SHA-2,SHA-3 ... MatthewAmyetal.Estimatingthecostofgenericquantumpre-image](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa494807f8b9ac8748c2234/html5/thumbnails/47.jpg)
References iii
Marc Kaplan et al. “Breaking Symmetric Cryptosystems Using QuantumPeriod Finding”. In: Advances in Cryptology - CRYPTO 2016. 2016,pp. 207–237.
Stefan Kölbl et al. “Haraka v2 - Efficient Short-Input Hashing forPost-Quantum Applications”. In: IACR Trans. Symmetric Cryptol. 2016 ().
Pierrick Méaux et al. “Towards Stream Ciphers for Efficient FHE withLow-Noise Ciphertexts”. In: Advances in Cryptology - EUROCRYPT 2016.2016, pp. 311–343.
Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bitWEP in less than 60 seconds. Cryptology ePrint Archive, Report 2007/120.http://eprint.iacr.org/2007/120. 2007.
31