2

Background:

The MathMesh crypto platform (refs at the bottom) is a newly-proposed technology stack which has been somewhat cheekily called a "Grand Unified Theory of Security on the Internet". Its "Meta Cryptography" module relies on the following property of Discrete-log Diffie-Hellman:

$privKey: x, pubKey: X = x.P$

$privKey: y, pubKey: Y = y.P$

Therefore you can derive "combination keys" by either combining two public keys or two private keys.

$Z=X \oplus Y = (x \otimes y).P$

for some appropriate definition of $\oplus$ and $\otimes$.

Question:

Will this survive the transition to post-quantum asymmetric KEMs? More specifically, how likely is it that there is some definition of $\oplus$ and $\otimes$ that allows "combining" of public keys and private keys in this way for lattice, code, multivariate and/or SIKE keys?

References:

Mike Ounsworth
  • 3,627
  • 1
  • 18
  • 28

1 Answers1

5

No, this does not survive as is in the quantum world, since all discrete logarithm schemes (including Diffie-Hellman) are broken.

And more generally, this is probably not possible in the quantum world a priori, because it would imply having group homomorphic properties, which are hindered by the fact that Shor's algorithm is actually made of two parts:

  • A reduction of the factoring problem to the problem of order-finding.
  • A quantum algorithm to solve the order-finding problem

and the problem is that the order finding part implies that it allows to find the order of a group element, thus allowing to break the discrete logarithm easily.

There is even an impossibility result from 2014 for group homomorphic encryption in the quantum world. Its core idea is basically that you can win the IND-CPA game by choosing two messages $m_0$ and $m_1$ such that $m_0=e$, and $m_1\neq e$, for $e$ the identity element in your plaintext group, which will be mapped when encrypted to the identity element of the ciphertext group, and since you can compute the order of an element using Shor's order finding part, you can find whether the ciphertext has order 1 (in which cases it corresponds to $m_0$) or not. And the same kind of problems will arise with digital signatures or key exchanges algorithms.

This is also the reason why it is extremely difficult to come up with zero-knowledge proofs that are quantum safe.

Lery
  • 7,679
  • 1
  • 26
  • 46
  • Thanks for your answer. So dumb question: linear algebra is linear, so if in a lattice scheme I used a linear combination of public keys to create a ciphertext, would that not be decryptable with a linear combination of the corresponding private keys? – Mike Ounsworth Nov 18 '19 at 17:18
  • 2
    @MikeOunsworth: lattice schemes use a linear combination along with a small amount of noise; this noise would build up as you repeatedly performed your operation, and so a sufficient number would result in an unusable key. On the other hand, if you were willing to live with a bound on the number of operations, you could make it work (with is essentially how partially homomorphic lattice systems work). Of course, none of the NIST candidates are designed to do this (as this requires a larger lattice to deal with the reduced noise initially) – poncho Nov 18 '19 at 19:32
  • I think it should be highlighted that the linked paper has some details, one of them is Our quantum attack from Section 4 on group homomorphic encryption schemes is not immediately applicable to more general homomorphic encryption schemes, such as somewhat and (leveled) FHE schemes.So it doesn't appear to be the case that any scheme that possesses the desired feature is necessarily broken by this distinguisher. The distinguisher appears to apply to schemes where there is no noise or prospect of decryption failure (Paillier, Elgamal, textbook RSA, etc). – Ella Rose Nov 19 '19 at 00:06
  • 2
    Yes, actually Gentry's seminal thesis on FHE already has a reduction to a Quantum safe problem for a FHE scheme. But to have group homomorphic properties on the keys, that's not the same as to have a (somewhat / fully) HE scheme – Lery Nov 19 '19 at 12:27