Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World

Boneh, Dan; Zhandry, Mark

doi:10.1007/978-3-642-40084-1_21

Cited by 135 publications

(117 citation statements)

References 20 publications

(25 reference statements)

Supporting

Mentioning

113

Contrasting

Unclassified

Order By: Relevance

“…Although making the DSSs less efficient, schemes by Gentry et al [2008] and Lyubashevsky [2012] are respectively shown by Boneh and Zhandry [2013] and Dagdelen et al [2013] to be secure to such an adversary, creating the quantum random oracle model. This could also motivate an important area for future research, such as proving security for more DSSs to a quantum adversary or possibly creating a generic technique that could turn a DSS secure in the random oracle model to one secure in the quantum random oracle model.…”

Section: Future Workmentioning

confidence: 99%

Practical Lattice-Based Digital Signature Schemes

Howe

Pöppelmann

O’Neill

et al. 2015

ACM Trans. Embed. Comput. Syst.

View full text Add to dashboard Cite

Digital signatures are an important primitive for building secure systems and are used in most real-world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of classical cryptanalytic advances or progress on the development of quantum computers, the hardness of these closely related problems might be seriously weakened. A potential alternative approach is the construction of signature schemes based on the hardness of certain lattice problems that are assumed to be intractable by quantum computers. Due to significant research advancements in recent years, lattice-based schemes have now become practical and appear to be a very viable alternative to number-theoretic cryptography. In this article, we focus on recent developments and the current state of the art in lattice-based digital signatures and provide a comprehensive survey discussing signature schemes with respect to practicality. Additionally, we discuss future research areas that are essential for the continued development of lattice-based cryptography.

show abstract

Section: Future Workmentioning

confidence: 99%

Practical Lattice-Based Digital Signature Schemes

Howe

Pöppelmann

O’Neill

et al. 2015

ACM Trans. Embed. Comput. Syst.

View full text Add to dashboard Cite

show abstract

“…This leads to natural security notions for symmetric-key encryption, which we call IND-QCCA1 and SEM-QCCA1, respectively. Following previous works, it is straightforward to define both IND-QCCA1 and SEM-QCCA1 formally, and prove that they are equivalent [BJ15; GHS16;BZ13b].…”

Section: Our Contributionsmentioning

confidence: 99%

On Quantum Chosen-Ciphertext Attacks and Learning with Errors

et al. 2020

View full text Add to dashboard Cite

Large-scale quantum computing is a significant threat to classical public-key cryptography. In strong "quantum access" security models, numerous symmetric-key cryptosystems are also vulnerable. We consider classical encryption in a model which grants the adversary quantum oracle access to encryption and decryption, but where the latter is restricted to non-adaptive (i.e., pre-challenge) queries only. We define this model formally using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it QCCA1 in analogy to the classical CCA1 security model. Using a bound on quantum random-access codes, we show that the standard PRF-and PRP-based encryption schemes are QCCA1-secure when instantiated with quantumsecure primitives. We then revisit standard IND-CPA-secure Learning with Errors (LWE) encryption and show that leaking just one quantum decryption query (and no other queries or leakage of any kind) allows the adversary to recover the full secret key with constant success probability. In the classical setting, by contrast, recovering the key uses a linear number of decryption queries, and this is optimal. The algorithm at the core of our attack is a (large-modulus version of) the well-known Bernstein-Vazirani algorithm. We emphasize that our results should not be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones.

show abstract

“…Granting A classical access to the simulated prover S P is analogous to granting the adversary access to a classical signing oracle in a chosen message attack in the context of signatures. We could allow A to have quantum access to S P , corresponding to a quantum chosen message attack as defined in [6]. We do not know whether Unruh's construction remains secure under this relaxation.…”

Section: Zero-knowledge (Nizk)mentioning

confidence: 99%