Abstract
We show that for many fundamental cryptographic primitives, proving classical security under the learning-with-errors (LWE) assumption, does not imply post-quantum security. This is despite the fact that LWE is widely believed to be post-quantum secure, and our work does not give any evidence otherwise. Instead, it shows that post-quantum insecurity can arise inside cryptographic constructions, even if the assumptions are post-quantum secure.
Concretely, our work provides (contrived) constructions of pseudorandom functions, CPA-secure symmetric-key encryption, message-authentication codes, signatures, and CCA-secure public-key encryption schemes, all of which are proven to be classically secure under LWE via black-box reductions, but demonstrably fail to be post-quantum secure. All of these cryptosystems are stateless and non-interactive, but their security is defined via an interactive game that allows the attacker to make oracle queries to the cryptosystem. The polynomial-time quantum attacker can break these schemes by only making a few classical queries to the cryptosystem, and in some cases, a single query suffices.
Previously, we only had examples of post-quantum insecurity under post-quantum assumptions for stateful/interactive protocols. Moreover, there appears to be a folklore intuition that for stateless/non-interactive cryptosystems with black-box proofs of security, a quantum attack against the scheme should translate into a quantum attack on the assumption. This work shows otherwise. Our main technique is to carefully embed interactive protocols inside the interactive security games of the above primitives.
As a result of independent interest, we also show a 3-round quantum disclosure of secrets (QDS) protocol between a classical sender and a receiver, where a quantum receiver learns a secret message in the third round but, assuming LWE, a classical receiver does not.
The full version of this paper is available online [33].
A. Lombardi—Supported in part by DARPA under Agreement No. HR00112020023, a grant from MIT-IBM Watson AI, a grant from Analog Devices, a Microsoft Trustworthy AI grant, the Thornton Family Faculty Research Innovation Fellowship and a Charles M. Vest fellowship. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.
D. Wichs—Research supported by NSF grant CNS-1750795, CNS-2055510 and the Alfred P. Sloan Research Fellowship.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The same question could also be asked for cryptosystems based on any of the other candidate post-quantum assumptions such as isogenies or even post-quantum secure one-way functions or collision-resistant hashing. We frame our discussion in terms of LWE for concreteness and because our eventual results specifically rely on LWE.
- 2.
We focus on “post-quantum security”, where only the adversary is quantum, but all interaction with the cryptosystem is classical. We distinguish this from what is sometimes called “quantum security” [45], where the cryptosystem needs to also accept quantum inputs. For the latter, it is already known that, e.g., allowing an adversary quantum query access to a PRF may compromise security. We discuss this in detail in Sect. 1.2.
- 3.
Note that PRFs (and other symmetric-key primitives) with public parameters are natural to consider; for instance, the group-based PRFs (e.g., [34]) would naturally have public parameters that include a description of the group.
- 4.
Technically, it may be possible that the completeness error of the IPQ increases non-negligibly if the PRF is only classically secure but not post-quantum secure. But it is easy to solve this by relying on a PRF that is one-wise independent.
- 5.
In this case, we can remove the instruction that \(V_{\textsf{sk}}\) outputs \(v_1\) on the empty string, since we already give out \(v_1\) in the public parameters.
- 6.
For symmetric-key primitives in the public-parameter setting, the secret key of the primitive is generated together with some public parameters that are given to the adversary, but are not otherwise needed for correctness.
- 7.
It is easy to make an IPQ publicly verifiable simply by adding an additional round where the verifier publicly declares whether it accepted or rejected, but this would require 5 rounds and we need 4.
- 8.
A 3-message QDS also implies a 4-message publicly verifiable IPQ. This is shown implicitly by our one-time signature counterexample below, but can be done more directly as follows. Use a QDS to send a random message x and append a one-way function f(x) to the 3rd round; then accept in the 4th round if the prover replies a valid preimage \(x'\) for f(x).
- 9.
This allows us to encrypt a single bit, but we can repeat this in parallel to encrypt a multi-bit message one bit at a time. Security follows via a simple hybrid argument.
- 10.
We think of a \(3 \times 3\) square of bits. The challenge \(q_1\) corresponds to a random row or column (6 possibilities) and \(q_2\) corresponds to a random location inside that row/column. The provers are supposed to answer with \(a_1\) being the 3 bits in the given row/column specified by \(q_1\) and \(a_2\) being the bit in the position specified by \(q_2\). They win if the answers are consistent and if the bits of \(a_1\) have parity 0 when \(q_1\) is a row or parity 1 when \(q_1\) is a column.
- 11.
Unfortunately, if we use this 2-prover non-local game, then the resulting 4-message IPQ cannot be made resettably sound. This is because the challenge \(q_2\) gives information about \(q_1\). By rewinding the verifier and seeing many values of \(q_2\), a classical adversary can learn \(q_1\) and win the game. (Even if the 4-message IPQ was resettably sound, it wouldn’t guarantee that the 3-message QDS would be, because it reveals various GL bits in the 3rd round.) In contrast, in the original instantiation of the [30] framework with the CHSH game and threshold parallel repetition, the resulting 4-message IPQ does not have unique final answers, but can be given resettable security using a PRF to generate \(q_2\), because \(q_2\) is random and independent of \(q_1\).
- 12.
Allowing \(\mathcal{P}^*\) to learn the outcome of the protocol execution is without loss of generality by negligible classical soundness: all executions of the protocol with \(\mathcal{P}^*\) will be rejected with overwhelming probability.
- 13.
Technically, to have \(F_{\textsf{sk}}\) be defined over a fixed input domain, we actually distinguish the cases \(x=(0\Vert p_1\Vert *)\) and \(x=(1\Vert p_1,p_2)\) where \(*\) denotes a 0 padding of appropriate length, and where \(F_{\textsf{sk}}\) outputs \(\textsf{reject}\) on inputs not of this form. We keep the notation of the construction above for clarity of exposition.
- 14.
Technically, we pad the shorter of \(\overline{\textsf{pp}}\) and \(\overline{F}_{\overline{\textsf{sk}}}(x)\) to obtain outputs with fixed length. We define the padding as an independent PRF of the input to conserve pseudorandomness of outputs.
- 15.
In general, the first sender message in the QDS \(s_1\) depends on the message m, and so in general \(\textsf{Setup}\) would take m as input. For simplicity of notation, we note that our construction of QDS above is delayed-input, in the sense that \(s_1\) is computed independently of m, which allows \(\textsf{Setup}\) to be independent of m. Our counterexamples in Sect. 6 would work even if the QDS was not delayed input.
- 16.
Uniform description follows by considering for instance random affine functions over the field \(\{0,1\}^n\) where n denotes the input size, so that hash functions have descriptions \(h=(a,b)\leftarrow \{0,1\}^n \times \{0,1\}^n\).
- 17.
In other words, the quantum attack is a CCA-1 attack.
References
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th FOCS, pp. 474–483. IEEE Computer Society Press, October 2014.https://doi.org/10.1109/FOCS.2014.57
Aravind, P.: The magic squares and Bell’s theorem. Technical report (2002)
Arute, F., Arya, K., Babbush, R., et al.: Quantum supremacy using a programmable superconducting processor. Nature 574(7779), 505–510 (2019)
Badrinarayanan, S., Ishai, Y., Khurana, D., Sahai, A., Wichs, D.: Refuting the dream XOR lemma via ideal obfuscation and resettable MPC. ITC (2022). https://eprint.iacr.org/2022/681
Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press, October 2001. https://doi.org/10.1109/SFCS.2001.959885
Bellare, M., Impagliazzo, R., Naor, M.: Does parallel repetition lower the error in computationally sound protocols? In: 38th FOCS, pp. 374–383. IEEE Computer Society Press, October 1997. https://doi.org/10.1109/SFCS.1997.646126
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bitansky, N., Brakerski, Z., Kalai, Y.T.: Constructive post-quantum reductions. Cryptology ePrint Archive (2022)
Bitansky, N., Shmueli, O.: Post-quantum zero knowledge in constant rounds. In: Makarychev, K., Makarychev, Y., Tulsiani, M., Kamath, G., Chuzhoy, J. (eds.) 52nd ACM STOC, pp. 269–279. ACM Press, June 2020. https://doi.org/10.1145/3357713.3384324
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Brakerski, Z., Christiano, P., Mahadev, U., Vazirani, U.V., Vidick, T.: A cryptographic test of quantumness and certifiable randomness from a single quantum device. In: Thorup, M. (ed.) 59th FOCS, pp. 320–331. IEEE Computer Society Press, October 2018. https://doi.org/10.1109/FOCS.2018.00038
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press, October 2011. https://doi.org/10.1109/FOCS.2011.12
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOC, pp. 209–218. ACM Press, May 1998. https://doi.org/10.1145/276698.276741
Chia, N.-H., Chung, K.-M., Yamakawa, T.: A black-box approach to post-quantum zero-knowledge in constant rounds. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 315–345. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_12
Chiesa, A., Ma, F., Spooner, N., Zhandry, M.: Post-quantum succinct arguments: breaking the quantum rewinding barrier. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 49–58. IEEE (2021)
Clauser, J.F., Horne, M.A., Shimony, A., Holt, R.A.: Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett. 23, 880–884 (1969)
Cleve, R., Hoyer, P., Toner, B., Watrous, J.: Consequences and limits of nonlocal strategies. In: Proceedings. 19th IEEE Annual Conference on Computational Complexity, pp. 236–249. IEEE (2004)
Dodis, Y., Jain, A., Moran, T., Wichs, D.: Counterexamples to hardness amplification beyond negligible. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 476–493. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_27
Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th FOCS, pp. 523–534. IEEE Computer Society Press, October 1999. https://doi.org/10.1109/SFFCS.1999.814626
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May/June 2009. https://doi.org/10.1145/1536414.1536440
Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)
Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th FOCS, pp. 102–115. IEEE Computer Society Press, October 2003. https://doi.org/10.1109/SFCS.2003.1238185
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 545–554. ACM Press, June 2013. https://doi.org/10.1145/2488608.2488677
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: Umans, C. (ed.) 58th FOCS, pp. 612–621. IEEE Computer Society Press, October 2017. https://doi.org/10.1109/FOCS.2017.62
van de Graaf, J.: Towards a formal definition of security for quantum protocols. Ph.D. thesis, University of Montreal (1997)
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_5
Kahanamoku-Meyer, G.D., Choi, S., Vazirani, U.V., Yao, N.Y.: Classically-verifiable quantum advantage from a computational bell test. arXiv preprint arXiv:2104.00687 (2021)
Kalai, Y.T., Lombardi, A., Vaikuntanathan, V., Yang, L.: Quantum advantage from any non-local game. Cryptology ePrint Archive, Report 2022/400 (2022). https://ia.cr/2022/400
Koppula, V., Ramchen, K., Waters, B.: Separations in circular security for arbitrary length key cycles. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 378–400. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_15
Lombardi, A., Ma, F., Spooner, N.: Post-quantum zero knowledge, revisited (or: how to do quantum rewinding undetectably). Cryptology ePrint Archive, Report 2021/1543 (2021). https://eprint.iacr.org/2021/1543
Lombardi, A., Mook, E., Quach, W., Wichs, D.: Post-quantum insecurity from LWE. Cryptology ePrint Archive, Paper 2022/869 (2022). https://eprint.iacr.org/2022/869,
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, pp. 458–467. IEEE Computer Society Press, October 1997. https://doi.org/10.1109/SFCS.1997.646134
NIST CSRC: Post-quantum cryptography. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005. https://doi.org/10.1145/1060590.1060603
Rothblum, R.D.: On the circular security of bit-encryption. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 579–598. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_32
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press, November 1994. https://doi.org/10.1109/SFCS.1994.365700
Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_10
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Watrous, J.: Zero-knowledge against quantum attacks. In: Kleinberg, J.M. (ed.) 38th ACM STOC, pp. 296–305. ACM Press, May 2006. https://doi.org/10.1145/1132516.1132560
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: Umans, C. (ed.) 58th FOCS, pp. 600–611. IEEE Computer Society Press, October 2017. https://doi.org/10.1109/FOCS.2017.61
Yamakawa, T., Zhandry, M.: Classical vs quantum random oracles. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 568–597. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_20
Yamakawa, T., Zhandry, M.: Verifiable quantum advantage without structure. arXiv preprint arXiv:2204.02063 (2022)
Zhandry, M.: How to construct quantum random functions. In: 53rd FOCS, pp. 679–687. IEEE Computer Society Press, October 2012. https://doi.org/10.1109/FOCS.2012.37
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Zhang, J., Yu, Y., Feng, D., Fan, S., Zhang, Z., Yang, K.: Interactive proofs for quantum black-box computations. Cryptology ePrint Archive (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lombardi, A., Mook, E., Quach, W., Wichs, D. (2022). Post-quantum Insecurity from LWE. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-22318-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22317-4
Online ISBN: 978-3-031-22318-1
eBook Packages: Computer ScienceComputer Science (R0)