 Hi, I'm Joseph and I'll be talking about some work I did with Fang Song and Stefano Tassaro, trying to understand the security of key-length extension techniques against quantum attackers. So quantum computers. Lots of money, time, and other resources are being spent these days trying to build computers which exploit quantum physics. Should these become a usable reality, they'll really be introducing a form of computation which is fundamentally different than what we're used to, which will have various implications for the security of cryptographic algorithms. Perhaps the most commonly discussed of these is that Shor's algorithm for factoring and discrete log will completely break the security of much of today's public key cryptography. Grover's search is a second important algorithm which will effectively reduce the key size of various secret key cryptographic algorithms by half. The point here is that if we have a key of length k, a kind of classical brute-force attack will take time 2 to the k, while in the quantum setting we can do this sort of attack in time 2 to the k over 2, meaning that something which provided 128 bits of security may now only provide 64 bits of security which might be insufficient. So if we find ourselves using a scheme with keys that are too short, there are two approaches we might use to deal with this. The first is to design new schemes which just inherently have longer keys. The second approach, which will be the focus of this paper, is designing key-lacing extension techniques where we take our given scheme and apply some sort of transform which uses the scheme with more keying material to encrypt our data. We ran into this previously with DES that had very short keys and led to the design of a variety of algorithms that use longer keys, as well as the analysis of various key-length extension techniques which would let us keep using DES but augmenting it to have longer keys. If we want to analyze the security of these things, what we'll be focusing on this paper is pseudo-random permutations and PRFs. So just to remind you in this setting, we're thinking of an adversary which has oracle access either to the actual scheme in question or to a random permutation, or in the case of PRF security, a random function. The advantage of the adversary is just the difference in the probability that it outputs one in these two settings. And you know, since in this work we'll be working in ideal models, which means that the adversary will also have oracle access to some random oracle or ideal cipher or something like that. It's useful to remember that the adversary's code, as well as all of its queries to the ideal primitive, are thought of as local computation occurring on the adversary's computer, whereas the other oracle queries are kind of external computation being performed by whoever the adversary is attacking. With this perspective, when we're thinking about quantum security, there's really three levels of security we might think about. The first is normal classical security, where both the adversary and the honest users' computers are completely classical, nothing quantum is happening here. This is the typical model. A second model that people consider is what I'll call the partially quantum model. Here the adversary has access to some quantum computer, meaning that its local computation is quantum, including superposition queries to this ideal primitive, but that the user's honest computation is still being done classically. In the short term, this security notion seems sufficient for any practical uses of cryptography. And then going beyond that, we obtain the fully quantum model, where all of the computation is quantum, meaning that all of the queries made by the adversary can be done in superposition. Throughout the rest of the talk, I'll be using Q to denote the number of queries that the attacker makes to the external computation, P to denote its internal queries to ideal primitives, and when I need to write advantage functions, I will prefix them with a C or PQ or Q to denote which sort of security that advantage is with respect to. Given this, then we kind of give you the brief overview of the different techniques we consider in our paper. The first is called fx, and this augments a block cipher with an extra key k2, which gets x-word into the input of the block cipher and into its output. This was analyzed in the classical setting by Kilian and Raghway, who show that it was indeed a sound technique for key length extension. However, if we go all the way to the fully quantum setting, some clever attacks combining multiple different quantum algorithms show that this is actually not a sound key length extension technique. It's no more secure than if we were just using e by itself without this extra x-word. However, these techniques seem to in some sense fundamentally require quantum access to all of the adversary's oracles, which raises an obvious question, what happens to the partial quantum setting? We address this in our work, giving a proof that it is indeed a sound key length extension technique in this setting. Now for technical reasons, due to the difficulty of quantum analysis of schemes based on random permutations, we were only able to show this against non-attaptive attacks, which decide all of their queries to the external function ahead of time. To kind of pick away at how we might analyze the adaptive setting, we looked at a related key length extension technique, which we call function fx, which just replaces the block cipher with instead a random function, and we consider prf security. And here because you can only evaluate things in one direction, we only need to do the x-word of k2 to the input and not the output. For this scheme, we give a proof that it has fully adaptive security in the partially quantum setting. The final technique that we consider is double encryption, where you just apply your block cipher twice with independent keys. You may be aware that in the classical setting, this is actually no more secure than single encryption because of the meet-in-the-middle attack. Given that, it might be surprising to hear that despite this, in the quantum setting, it actually is a sound key length extension technique. The kind of high-level idea of why this is possible is that the savings from a meet-in-the-middle attack and the savings from Grover search in some senses can't be combined together. So either one lets you have the key length of double encryption, but you can't combine them to quarter it. More concretely, these three proofs are the contributions of our paper. The security-bound to be proved look like this. I won't be kind of doving into the details of exactly what they say, but the high-level takeaway is that the insides of these various routes are what we expect based on the best-known attacks. They kind of give us the right parameters for achieving a security of around one. There would be an interesting direction for future research to see if these various routes could be improved and gotten rid of. In terms of techniques, our first non-adapter proof relies just on a careful application of so-called one-way-to-hiding results. Our adaptive proof for FFX uses both one-way-to-hiding and Zendri's technique for lazily sampling a random function. Finally, our fully quantum proof for double encryption relies on a recently discovered reduction to a worst-case list disjointness problem and then quantum analysis of the hardness of list disjointness. I'll delve into these one-end time in slightly more detail, starting with Fx. We'll call Fx was the construction where we XOR into the input and the output of the block cipher. This was originally proposed for DEZ by Ravast and generalized and proven sound in the classical setting by Kellyanne in Raraway. If we consider the special case where the key length of the block cipher is zero, meaning it's really just a random permutation, this is the Evan-Radsour construction of a block cipher from a random permutation. And when I discuss the proof in the next slides, I'll just be focusing on this case, adding in also this key of the block cipher doesn't add anything too interesting to the analysis. So like I said, this analysis is based on one-way-to-hiding results. The kind of high-level takeaway of these theorems is that if you can distinguish between two oracles, you must be able to find inputs where they differ, which is formalized by considering an adversary which has either oracle access to a permutation g or a permutation h. It outputs a bit and its advantage is the difference in the probability that it outputs one. We also associate to g and h some auxiliary string z which is given to the adversary and I set s where the guarantee is that g and h agree on all points x than or not in s. Then given some distinguishing adversary a, we can design a new algorithm b, which picks a random index, runs the attack a, and then halts after the ith query and measures what a queried. The version of the one-way-to-hiding results that we use tells us that if a makes at most q quantum queries to its oracle, then its distinguishing advantage is bounded by two times q times the square root of the probability that this algorithm b outputs some x which is in the set s where g and h differ. Then to kind of apply this analysis to some security result we want, the first step is to rewrite the result in a way fitting this setting of g and h that differ on s and then we apply this theorem and then we have to bound this probability that b is outputting something in s. The most common way this happens which is what we'll use for our non-adaptive proof is a kind of structure agnostic setting where it actually we don't care what b looked like and we just say that the probability that any algorithm c making q queries to a oracle output something in s can be bounded by some known quantity and our second proof, our adaptive security proof for ffx, ffx will actually have to use the structure of b. We'll have to use knowledge of the fact that b was constructed from a and the a we give will be kind of the combination of an adversary and a security game. We need to do this because the oracles will give there if we didn't insist on any structure are actually quite easy to find where they differ. It's only because of the particular structure of an adversary that we can say it's difficult for b to output something in s. To apply this technique for our non-adaptive security proof for fx it really just boils down to kind of finding the right way to express the security of fx so that we can apply this result. So here it's a non-adaptive attack, we're thinking of the adversary fixing ahead of time its queries x1 through x2 to its fx oracle. Then in our sampling we're going to first just randomly sample without repetition the responses to the adversary's queries. For the ideal world it's my ideal permutation should be completely independent of these queries so we just sample a completely independent permutation to use there. Then to start building towards constructing our real world we're going to pick the random key k which is what we're going to think of as being the key that was used for fx and then we're going to find where I'm calling partner points by which I mean the image of all the x's x-ord with k and the pre-images of all the y's x-ord with k. Then to construct our ideal permutation for the real world which should be consistent with these responses to adversary's queries we picked earlier we just do a swap where we swap the y i's and the y stars that we found in the previous step. Once we've done this we're able to apply the one way to hiding result where our g-oracle is the real world permutation our h-oracle is the ideal world permutation the auxiliary string z is the responses to the adversary's queries y1 through yq and the set of points where our oracles differ is just all the different x's x-ord with k y x-ord with k the x stars and the y stars and then in a structure agnostic sense we can argue that that algorithm b is unlikely to output something in this set because of the way that this set depends on the randomly set of k which is independent of its view in the ideal world. So I should note down the slide I'm kind of simplifying things and ignoring the fact that it's not adaptive queries might involve inverse queries and ignoring the possibility of some incidental collisions between various values we sample here handling these is quite straightforward in the for proof. Next let's look at the ffx construction for which we gave an adaptive security proof again for this construction it's fairly straightforward to use classical techniques to give a security proof and we're going to focus on the setting where we kind of ignore the initial key for f and think if f is just being a random function adding back in that key to f is a straightforward in the analysis. So to kind of give the intuition for this I'm actually first going to talk through how we would think about it classically using classical asian sampling. So for this we can think of our random functions as these really large tables which are initialized at random then whenever an query for x is made we just look into the x factor in the table and respond to the adversary with whatever's stored there. To do lazy sampling then in the classical setting we instead initialize our table with bot everywhere. When the adversary makes a query for x we look in x if it stores bot we first sample a random value for the table there and return it to the adversary. If when we looked at x we saw that something was already there wasn't bot then we just returned the thing that was already there. To apply this to a security proof the first step is to rewrite our oracles as lazy oracles. So in the ideal world where the random function and the ideal primitive are completely separate from each other this means they're just completely separate random function tables which were lazily sampling. In the real world there's a single random function table which is accessed directly by the ideal primitive but when you make a query to ffx on point say x prime we index into the location x prime x or k to write our security proof what we're going to do is kind of rewrite this real world to make it look more like the ideal world. In particular we're going to try to express it as two tables which are kind of linked to each other and what that means is when we say query x to the ideal primitive we look both in the x location of each table and the x x or k location of the ffx table. If the ffx table there is not bot then we use ffx if it is bot we use our local table. This logic about checking the other table is the only place that this oracle differs from the corresponding oracle in the ideal world. Similarly when you make a query to ffx we look in the corresponding spot in our ideal functions table and then we use that if it's not bot otherwise we use f and again we have this bit of where this oracle differs from the corresponding oracle in the ideal world. These differences are on kind of hard to find inputs and then by using so-called identical and to bad arguments which are kind of the classical version of one-way diving arguments we're able to kind of lift this into giving us our security route. To try to follow this blueprint for our quantum proof we need to understand how lazy sampling works in the quantum realm. We can't do exactly what we did in the previous slides for lazy sampling because superposition queries allow the adversary to touch all of the table at once with a single query. But again we can start by just thinking of our random functions as large tables which initialize the random. Now for the quantum setting to make oracles kind of valid unitaries we have to have our queries be at the form x comma y and now we look into location x and we take the result and we xor it into y. Zandri is a beautiful result so that we can get nice things if we instead look at things in the Fourier domain. This allows us to think of our function table as being initialized with all zeros. Then when we make a query x comma y all this does is that it xors the value y into the table and it doesn't return anything back to the adversary really. Doing this one at a time the adversary will be interacting with the table which is mostly zeros and after q queries is a non-zero at at most q locations. Zandri's technique is also commonly referred to as compressed oracle techniques because in most uses of this technique people have needed to go one step further where they compress the table to only store the entries which are non-zero. For the purposes of our proof we don't need to do that at all we can keep our tables large and all we need is that they're sparse. So for our quantum proof we want to kind of start at the same way we just did in the classical setting rewriting things as lazy oracles using Zandri's technique which gives us two separate tables being written into in the ideal world and a single table being written into in the real world. However we can't do this immediately we have an issue because the external queries the queries to f of x or the random function are supposed to be classical and Zandri's technique is supposed to be applied to quantum access to an oracle. However this is actually kind of simple enough to handle for us what we do if we have this kind of step zero we're going to express these classical queries as being quantum queries which is done by allowing the adversary now to make fully quantum access to this oracle but with every query it makes to the oracle as supposed to be classical we just write down what it queried in what I'll call a query log then we just keep storing throughout the whole game once we've done that we can do this rewriting as lazy oracles giving us what was shown here and then again the next step is to try to express the real world as two linked tables when you access location x and one of the tables we need to first make sure if x x or k in the other table had a non-zero value in it. During this carefully we can again write our oracle in a way where the real world and the ideal world only differ on code that's hard to find inputs which trigger it. This gives us a setting for applying one way to hiding results giving our security bound. So I'm kind of slightly lying to you on this slide there are some additional subtleties first is that the classical way of linking tables doesn't give a valid unitary operation so we can't use it in the quantum setting instead what we had to do is kind of very carefully design new ways of linking the tables in the quantum setting and here we kind of crucially had to make use of that query log we introduced before for the oracle which was being accessed classically. The second piece is that the oracles as I've been discussing them are kind of stateful oracles and that's not the sort of oracle that one way to hiding results work with. The way we address this is rather than thinking of our oracles as oracles which take in x and y we're going to think of them as oracles which take in x and y provided by the attacker and take in the f table the pi table the key k and the query log provided by the game that is we're thinking of kind of combining the attacker and the game as a single algorithm for the purposes of the one way to hiding result and it's through this that we get that kind of non-structure agnostic use of one way to hiding that I was mentioning before our final result was analyzing double encryption as we mentioned double encryption which uses two k length keys falls victim in the classical setting to a time two to the k mean middle attack however we're still able to provide quantum security because there's still this two to the k mean in the middle attack there's still grover search which can do attacks in time k but we can't combine them together to attack the length two k scheme in time much less than k for a security result we do reductions to these worst case problems which isn't something we commonly see in cryptography in particular the problems we need are an element distinctness problem which asks an algorithm to determine if a list that's given has any repeated values in it and we look at a list destroy this problem where an algorithm is given two different lists and has to determine if they have any values in common the first third of our proof is taking a proof which was previously done classically and showing that it applies in the quantum setting two that we can reduce double encryption security to a decision version of the list destroy this problem then we had to analyze these worst case list destroy this problem we did this through a flow of results where we first reduce from decision version to the search version of the problem and then the search version of the problem to the search version of element distinctness which we're then able to analyze using a proof technique that Zandri used to analyze a slightly different version of element distinctness also as well knowing that kind of inside of this decision there's an additional step where we're kind of stepping between different notions of what it means very problem to be hard to decide if you want to kind of dig into the details of this I'll refer you to our paper just out concluding I'll mention two open problems that our question that our paper leaves the first of these is analyzing the adaptive security of FX the kind of fundamental difficulty at least for trying to apply our proof technique is finding ways to do quantum lazy sampling for permutations there have been prior papers that attempt to do this and then were later shown to have proof errors in them there's a more recent paper which claims to do this for analyzing shot three however they give a imperfect form of lazy sampling whose concrete security is kind of not good enough to be of any use for FX instruction it would override any benefit of the second problem that would be interesting to consider is improving our quantum analysis of list disorders we kind of saw before this route where the inside of the route is something that we're reasonably happy with but it's a sixth route and the sixth route is really bad for security for anything that's not really in the parameter regime of kind of confidence there are one so it'd be interesting if our flow of worst-case analysis of these problems could be somehow improved to give a better result and with that I've reached the end of my talk I'll leave you here on this slide summarizing our contributions and the open problems thanks for watching I hope you have a good day