Please note: This PhD defence will take place online.
Edward Eaton, PhD candidate
David R. Cheriton School of Computer Science
Supervisors: Professors Douglas Stebila, Alfred Menezes
Due to the threat of scalable quantum computation breaking existing public-key cryptography, interest in post-quantum cryptography has exploded in the past decade. There are two key aspects to the mitigation of the quantum threat. The first is to have a complete understanding of the capabilities of a quantum enabled adversary and be able to predict the impact on the security of protocols. The second is to find suitable replacements for those protocols rendered insecure.
In this thesis, we develop new techniques to help address these problems, in order to better prepare for the post-quantum era. Proofs in security models that consider quantum adversaries are notoriously more challenging compared to their classical analogues. The quantum random oracle model abstracts real world hash functions to a black box, but allows for superposition queries. This model is important as it often makes possible the reduction of the security of a protocol to the hardness of an underlying hard problem.
We prove several results about the model itself. We provide upper and lower bounds on the ability of the adversary to find collisions in non-uniform functions in this model. We also compare the quantum random oracle model to the classical random oracle model and establish that a key aspect of their relationship to the standard model is unchanged. As well, we develop a way to model a new security property (dubbed quantum annoyingness) that considers the security of classical password-authenticated key exchange schemes in the presence of quantum adversaries, and prove the security of a recently standardized protocol in this model.
For the second problem, we show how established post-quantum problems can be used to build protocols beyond key establishment and signing. We look at two protocols, that of key-blinded signatures and updatable public-key encryption, which are variants of signature and key-establishment protocols. We show how these protocols can be instantiated by modifying existing post-quantum signature and key-establishment protocols. Both of these protocols were originally built heavily relying on the structure of the discrete logarithm problem. In instantiating the schemes with post-quantum assumptions, we also highlight how alternative mathematical structures can be adapted to achieve the same results. Finally, we provide proofs, implementations, and performance metrics for these instantiations.