Welcome to the new version of CaltechAUTHORS. Login is currently restricted to library staff. If you notice any issues, please email coda@library.caltech.edu
CaltechAUTHORS
Published March 21, 2020 | Published
Journal Article Open

On Quantum Chosen-Ciphertext Attacks and Learning with Errors

Alagic, Gorjan
Jeffery, Stacey
Ozols, Maris
Poremba, Alexander

Abstract

Large-scale quantum computing poses a major threat to classical public-key cryptography. Recently, strong "quantum access" security models have shown that numerous symmetric-key cryptosystems are also vulnerable. In this paper, we consider classical encryption in a model that grants the adversary quantum oracle access to encryption and decryption, but where we restrict the latter to non-adaptive (i.e., pre-challenge) queries only. We formalize this model using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it QCCA1 in analogy to the classical CCA1 security model. We show that the standard pseudorandom function ( PRF )-based encryption schemes are QCCA1 -secure when instantiated with quantum-secure primitives. Our security proofs use a strong bound on quantum random-access codes with shared randomness. Revisiting plain IND−CPA -secure Learning with Errors ( LWE ) encryption, we show that leaking only a single quantum decryption query (and no other leakage or queries of any kind) allows the adversary to recover the full secret key with constant success probability. Information-theoretically, full recovery of the key in the classical setting requires at least a linear number of decryption queries. Our results thus challenge the notion that LWE is unconditionally "just as secure" quantumly as it is classically. The algorithm at the core of our attack is a new variant of the well-known Bernstein–Vazirani algorithm. Finally, we emphasize that our results should not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones.

Additional Information

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/). Received: 16 December 2019; Accepted: 18 March 2020; Published: 21 March 2020. We thank Ronald de Wolf for helpful discussions, Jop Bri t for Lemma A1 and Peter Humphries for providing us with a simple proof of Lemma A2. GA is supported by National Science Foundation (NSF) grant CCF-1763736. SJ is supported by an NWO WISE Grant and NWO Veni Innovational Research Grant under project number 639.021.752. MO is supported by Leverhulme Trust Early Career Fellowship (ECF-2015-256). AP is partially supported by AFOSR YIP award number FA9550-16-1-0495, the IQIM—an NSF Physics Frontiers Center (NSF Grant PHY- 1733907), and the Kortschak Scholars program. Author Contributions: All authors contributed equally to this work. Conceptualization, G.A., S.J., M.O. and A.P.; formal analysis, G.A., S.J., M.O. and A.P.; writing—original draft preparation, G.A., S.J., M.O. and A.P.; writing—review and editing, G.A., S.J., M.O. and A.P. All authors have read and agreed to the published version of the manuscript. The authors declare no conflict of interest.

Attached Files

Published - cryptography-04-00010-v2.pdf

Files

cryptography-04-00010-v2.pdf
Files (476.9 kB)
Name Size Download all
md5:ca7009b2c90f33e389d41367c81b8c4a
476.9 kB Preview Download

Additional details

Identifiers Funding Dates Caltech Custom Metadata
Created:
August 22, 2023
Modified:
October 19, 2023