quantum authentication with key recycling
play

Quantum Authentication with Key Recycling Christopher Portmann - PowerPoint PPT Presentation

Introduction Classical secure channel Quantum secure channel Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May


  1. Introduction Classical secure channel Quantum secure channel Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May C. Portmann Quantum Authentication with Key Recycling

  2. Introduction Classical secure channel Quantum secure channel Authentication and Encryption of Quantum Messages with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May C. Portmann Quantum Authentication with Key Recycling

  3. Introduction Overview Classical secure channel Main idea Quantum secure channel Overview of results Analyze a subset of the family of Q-MACs from Barnum, Crépeau, Gottesman, Smith, Tapp [FOCS 2002] Prove that all the key can be recycled upon accepting the message. Prove that part of the key can be recycled upon rejecting the message, and that this is optimal (= the rest is leaked). Composable security proof using the Abstract/Constructive Cryptography framework [Maurer, Renner, 2011]. C. Portmann Quantum Authentication with Key Recycling

  4. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (classical) Classical MACs: t ′ ? = f k 1 ( x ′ ) ⊕ k 2 Message x Family of hash functions { f k } ( x , t ) ( x ′ , t ′ ) Key ( k 1 , k 2 ) Tag t := f k 1 ( x ) ⊕ k 2 Wegman, Carter [1981], P[2014] New key k 2 needed for every new message x . k 1 can be recycled! C. Portmann Quantum Authentication with Key Recycling

  5. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (classical) Classical MACs: t ′ ? = f k 1 ( x ′ ) ⊕ k 2 Message x Family of hash functions { f k } ( x , t ) ( x ′ , t ′ ) Key ( k 1 , k 2 ) Tag t := f k 1 ( x ) ⊕ k 2 Wegman, Carter [1981], P[2014] New key k 2 needed for every new message x . k 1 can be recycled! C. Portmann Quantum Authentication with Key Recycling

  6. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (quantum) Authentic channel A x x x No cloning! If Bob gets ρ , then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution. C. Portmann Quantum Authentication with Key Recycling

  7. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (quantum) Authentic channel A ρ ρ ρ No cloning! If Bob gets ρ , then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution. C. Portmann Quantum Authentication with Key Recycling

  8. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (quantum) Secure channel S ρ ρ ρ No cloning! If Bob gets ρ , then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution. C. Portmann Quantum Authentication with Key Recycling

  9. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (quantum) Secure channel S ρ ρ ρ No cloning! If Bob gets ρ , then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution. C. Portmann Quantum Authentication with Key Recycling

  10. Introduction Overview Classical secure channel Main idea Quantum secure channel Key recycling (quantum) Secure channel S ρ ρ ρ No cloning! If Bob gets ρ , then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution. C. Portmann Quantum Authentication with Key Recycling

  11. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing an authentic channel π auth π auth Secret key K A B k k x ′ , ⊥ x Insecure channel R ( x , t ) ( x ′ , t ′ ) C. Portmann Quantum Authentication with Key Recycling

  12. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing an authentic channel π auth π auth Secret key K A B k k x ′ , ⊥ x Insecure ch. R ( x , t ) ( x ′ , t ′ ) C. Portmann Quantum Authentication with Key Recycling

  13. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing an authentic channel π auth π auth Secret key K Authentic ch. A A B x , ⊥ k k x x ′ , ⊥ x x 0 , 1 Insecure ch. R ( x , t ) ( x ′ , t ′ ) C. Portmann Quantum Authentication with Key Recycling

  14. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing an authentic channel π auth π auth Secret key K Authentic ch. A A B x , ⊥ k k x x ′ , ⊥ x x 0 , 1 Insecure ch. R σ auth E ( x , t ) ( x ′ , t ′ ) ( x , t ) ( x ′ , t ′ ) C. Portmann Quantum Authentication with Key Recycling

  15. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing an authentic channel π auth π auth Secret key K Authentic ch. A A B x , ⊥ k k x x ′ , ⊥ x x 0 , 1 Insecure ch. R σ auth E ( x , t ) ( x ′ , t ′ ) ( x , t ) ( x ′ , t ′ ) Two systems R and S are ε -close if no distinguisher can tell them apart except with advantage ε , R ≈ ε S ⇐ ⇒ sup | Pr [ D ( R ) = 1 ] − Pr [ D ( S ) = 1 ] | ≤ ε. D C. Portmann Quantum Authentication with Key Recycling

  16. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing an authentic channel π auth π auth Secret key K Authentic ch. A A B x , ⊥ k k x x ′ , ⊥ x x 0 , 1 Insecure ch. R σ auth E ( x , t ) ( x ′ , t ′ ) ( x , t ) ( x ′ , t ′ ) ( π auth , π auth ) constructs A from K � R with error ε , if there exists a A B simulator σ auth such that the dashed boxes are ε -close. E π auth ,ε ⇒ ∃ σ auth s.t. π auth π auth ( K � R ) ≈ ε σ auth K � R − − − − → A ⇐ A . E A B E C. Portmann Quantum Authentication with Key Recycling

  17. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing a secure channel from an authentic ch. π otp π otp Secret key K A B k k x , ⊥ x Authentic ch. A c c = x ⊕ k c 0 , 1 C. Portmann Quantum Authentication with Key Recycling

  18. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing a secure channel from an authentic ch. π otp π otp Secret key K Secure ch. S A B x , ⊥ x k k x , ⊥ x | x | 0 , 1 Authentic ch. A c c = x ⊕ k c 0 , 1 C. Portmann Quantum Authentication with Key Recycling

  19. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing a secure channel from an authentic ch. π otp π otp Secret key K Secure ch. S A B x , ⊥ x k k x , ⊥ x | x | Authentic ch. A σ otp c E c = x ⊕ k c 0 , 1 c 0 , 1 ( π otp A , π otp B ) constructs S from K � A with error 0 , π otp , 0 π otp A π otp ( K � A ) = σ otp E S = ⇒ K � A − − − → S B C. Portmann Quantum Authentication with Key Recycling

  20. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing a secure ch. from an insecure ch. (1) π otp π otp Key K 1 Secure ch. S A B x , ⊥ k 1 k 1 x x , ⊥ x | x | 0 , 1 Key K 2 k 2 k 2 c ′ c σ otp E c Ch. R π auth π auth σ auth A B E ( c , t ) ( c ′ , t ′ ) ( c , t ) ( c ′ , t ′ ) C. Portmann Quantum Authentication with Key Recycling

  21. Introduction From an authentic channel Classical secure channel From an XOR-malleable, confidential channel Quantum secure channel Key recycling Constructing a secure ch. from an insecure ch. (1) π otp π otp Key K 1 Secure ch. S A B x , ⊥ k 1 k 1 x x , ⊥ x | x | 0 , 1 Key K 2 k 2 k 2 c ′ c σ otp E c Ch. R π auth π auth σ auth A B E ( c , t ) ( c ′ , t ′ ) ( c , t ) ( c ′ , t ′ ) C. Portmann Quantum Authentication with Key Recycling

Recommend


More recommend