cryptography for the quantum internet
play

Cryptography for the quantum internet Elements of a quantum TLS - PowerPoint PPT Presentation

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum


  1. Fiat Shamir transformation Removes interaction from identification schemes using hash Digital signature scheme functions ⟹ Well-known: Security in the Random Oracle Model

  2. Fiat Shamir transformation Removes interaction from identification schemes using hash Digital signature scheme functions ⟹ Well-known: Security in the Random Oracle Model How about the Quantum Random Oracle Model (QROM)?

  3. Fiat Shamir transformation Removes interaction from identification schemes using hash Digital signature scheme functions ⟹ Well-known: Security in the Random Oracle Model How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM.

  4. Fiat Shamir transformation Removes interaction from identification schemes using hash Digital signature scheme functions ⟹ Well-known: Security in the Random Oracle Model How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Also proven concurrently by Liu, Zhandry. Less tight reduction.

  5. Fiat Shamir transformation Removes interaction from identification schemes using hash Digital signature scheme functions ⟹ Well-known: Security in the Random Oracle Model How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Also proven concurrently by Liu, Zhandry. Less tight reduction. More efficient NIST candidate signature schemes!!!

  6. Fiat Shamir transformation Removes interaction from identification schemes using hash Digital signature scheme functions ⟹ Well-known: Security in the Random Oracle Model How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Also proven concurrently by Liu, Zhandry. Less tight reduction. More efficient NIST candidate signature schemes!!!

  7. Are we ready for encrypting the quantum internet? Key Exchange

  8. Post-quantum key exchange This is what Quantum Key Distribution (QKD) can do!*

  9. Post-quantum key exchange This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!!

  10. Post-quantum key exchange This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!! Alternative: post-quantum secure Key Encapsulation

  11. Post-quantum key exchange This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!! Alternative: post-quantum secure Key Encapsulation + Classical more efficient ⟹

  12. Post-quantum key exchange This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!! Alternative: post-quantum secure Key Encapsulation + Classical more efficient ⟹ ‒ Computational assumptions (similar to signatures, current internet crypto…)

  13. Are we ready for encrypting the quantum internet? Authenticated Encryption

  14. The TLS protocol Quantum “post-quantum” Quantum Secure (Server) Key Functionalities communication authentication establishment Session Key exchange/ Digital Authenticated Protocols Key signatures encryption encapsulation Cryptographic Hash Block Modes of Ingredients functions ciphers operation Quantum- ready?

  15. The TLS protocol Quantum “post-quantum” Quantum Secure (Server) Key Functionalities communication authentication establishment Session Key exchange/ Digital Authenticated Protocols Key signatures encryption encapsulation Cryptographic Hash Block Modes of Ingredients functions ciphers operation Quantum- ready?

  16. Authenticated Encryption

  17. Authenticated Encryption Alice Bob

  18. Authenticated Encryption Alice Bob m

  19. Authenticated Encryption k k Alice Bob m

  20. Authenticated Encryption k k Alice Bob m c = Enc k ( m )

  21. Authenticated Encryption k k c Alice Bob m c = Enc k ( m )

  22. Authenticated Encryption k k c Alice Bob m Dec k ( c ) = m c = Enc k ( m )

  23. Authenticated Encryption k k c Alice Bob m Dec k ( c ) = m c = Enc k ( m ) Confidentiality: doesn’t tell you anything about . c m

  24. Authenticated Encryption k k c Alice Bob m Dec k ( c ) = m c = Enc k ( m ) Confidentiality: doesn’t tell you anything about . c m Integrity: If was produced from without using , then c ′ c k Dec k ( c ′ ) = reject

  25. Authenticated Encryption k k c Alice Bob m Dec k ( c ) = m c = Enc k ( m ) Confidentiality: doesn’t tell you anything about . c m Integrity: If was produced from without using , then c ′ c k Dec k ( c ′ ) = reject Slightly simplified…

  26. Authenticated Encryption k k c Alice Bob m Dec k ( c ) = m c = Enc k ( m ) Confidentiality: doesn’t tell you anything about . c m Integrity: If was produced from without using , then c ′ c k Dec k ( c ′ ) = reject Confidentiality+Integrity=Authenticated encryption

  27. Real vs. Ideal Alternative characterization (Shrimpton ’04):

  28. Real vs. Ideal Alternative characterization (Shrimpton ’04): Real Ideal

  29. Real vs. Ideal Alternative characterization (Shrimpton ’04): Real Ideal Enc k Dec k

  30. Real vs. Ideal Alternative characterization (Shrimpton ’04): Real Ideal $ Enc k Enc k Dec k

  31. Real vs. Ideal Alternative characterization (Shrimpton ’04): Real Ideal $ Enc k Enc k reject Dec k

  32. Real vs. Ideal Alternative characterization (Shrimpton ’04): Real Ideal $ Enc k Enc k reject Dec k Except that =

  33. Real vs. Ideal Alternative characterization (Shrimpton ’04): Real Ideal $ Enc k Enc k reject Dec k Except that = Enforced by keeping a list Of input-output-pairs of

  34. Quantum authenticated encryption Except that = Enforced by keeping a list Of input-output-pairs of

  35. Quantum authenticated encryption Problem 1: requires copying quantum ciphertexts…

  36. Quantum authenticated encryption Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem!

  37. Quantum authenticated encryption Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier”

  38. Quantum authenticated encryption Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier” Problem 2: Measurement disturbance

  39. Quantum authenticated encryption Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier” Problem 2: Measurement disturbance Solution 1: Purify “$” $ Enc k

Recommend


More recommend