quantum non malleability and authentication
play

Quantum non-malleability and authentication Christian Majenz QMATH, - PowerPoint PPT Presentation

Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen Joint work with Gorjan Alagic, NIST and University of Maryland CRYPTO 2017, UCSB 24.08.2017 Motivation: a classical story... Crypto for bank


  1. Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen Joint work with Gorjan Alagic, NIST and University of Maryland CRYPTO 2017, UCSB 24.08.2017

  2. Motivation: a classical story...

  3. Crypto for bank transfers

  4. Crypto for bank transfers I want a new notebook!

  5. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store>

  6. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store>

  7. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store>

  8. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store> Transfer 9888€ to <notebook store>

  9. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store> Transfer 9888€ to <notebook store>

  10. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store> Transfer 9888€ to <notebook store>

  11. Crypto for bank transfers I want a new notebook! Transfer 1000€ to <notebook store> Transfer 9888€ to <notebook store> ◮ What cryptographic security notions would fix this problem?

  12. Non-malleability ◮ One solution is non-malleable encryption:

  13. Non-malleability ◮ One solution is non-malleable encryption: I want a new notebook!

  14. Non-malleability ◮ One solution is non-malleable encryption: I want a new notebook! Transfer 1000$ to <notebook store>

  15. Non-malleability ◮ One solution is non-malleable encryption: I want a new notebook! qAe5PSkDo3bFfq9 Transfer 1000$ to encrypt <notebook store> I5pM2jQgfPUrtdcx 7xF8WS9An

  16. Non-malleability ◮ One solution is non-malleable encryption: I want a new notebook! qAe5PSkDo3bFfq9 Transfer 1000$ to encrypt <notebook store> I5pM2jQgfPUrtdcx 7xF8WS9An zfwgpvkSR39da7U haXBA0ya18weOI0 HGP6uqfo7E

  17. Non-malleability ◮ One solution is non-malleable encryption: I want a new notebook! qAe5PSkDo3bFfq9 Transfer 1000$ to encrypt <notebook store> I5pM2jQgfPUrtdcx 7xF8WS9An decrypt zfwgpvkSR39da7U ZwOL0XEOuVF74D haXBA0ya18weOI0 8bX0vwDCwGOuSe HGP6uqfo7E

  18. Summary of Results New definition of information-theoretic quantum non-malleability which

  19. Summary of Results New definition of information-theoretic quantum non-malleability which ◮ fixes a vulnerability allowed by the previous definition

  20. Summary of Results New definition of information-theoretic quantum non-malleability which ◮ fixes a vulnerability allowed by the previous definition ◮ implies secrecy, analogously to quantum authentication

  21. Summary of Results New definition of information-theoretic quantum non-malleability which ◮ fixes a vulnerability allowed by the previous definition ◮ implies secrecy, analogously to quantum authentication ◮ serves as a primitive for building quantum authentication

  22. Summary of Results New definition of information-theoretic quantum non-malleability which ◮ fixes a vulnerability allowed by the previous definition ◮ implies secrecy, analogously to quantum authentication ◮ serves as a primitive for building quantum authentication ◮ has both a simulation-based and an entropic characterization

  23. Summary of Results New definition of information-theoretic quantum non-malleability which ◮ fixes a vulnerability allowed by the previous definition ◮ implies secrecy, analogously to quantum authentication ◮ serves as a primitive for building quantum authentication ◮ has both a simulation-based and an entropic characterization ♠ Additional result: The new definition of quantum authentication with key recycling (Garg, Yuen, Zhandry ’16, next talk!) can be fulfilled using unitary 2-designs.

  24. Non-malleability

  25. classical non-malleability (NM) ◮ NM first defined in the context of public key cryptography (Dolev, Dwork, Naor ’95)

  26. classical non-malleability (NM) ◮ NM first defined in the context of public key cryptography (Dolev, Dwork, Naor ’95) ◮ Simulation-based security definition in terms of relations on plaintext space

  27. classical non-malleability (NM) ◮ NM first defined in the context of public key cryptography (Dolev, Dwork, Naor ’95) ◮ Simulation-based security definition in terms of relations on plaintext space ! NM can be characterized as certain kind of chosen ciphertext indistinguishability (Bellare and Sahai ’99)

  28. classical non-malleability (NM) ◮ NM first defined in the context of public key cryptography (Dolev, Dwork, Naor ’95) ◮ Simulation-based security definition in terms of relations on plaintext space ! NM can be characterized as certain kind of chosen ciphertext indistinguishability (Bellare and Sahai ’99) ◮ Information theoretic definition using entropy: ( X , C ), ( ˜ X , ˜ C ) two plaintext ciphertext pairs, C � = ˜ C def: scheme is NM if I ( ˜ X : ˜ C | XC ) = 0 (Hanaoka et al. ’02)

  29. classical non-malleability (NM) ◮ NM first defined in the context of public key cryptography (Dolev, Dwork, Naor ’95) ◮ Simulation-based security definition in terms of relations on plaintext space ! NM can be characterized as certain kind of chosen ciphertext indistinguishability (Bellare and Sahai ’99) ◮ Information theoretic definition using entropy: ( X , C ), ( ˜ X , ˜ C ) two plaintext ciphertext pairs, C � = ˜ C def: scheme is NM if I ( ˜ X : ˜ C | XC ) = 0 (Hanaoka et al. ’02) ◮ later ≈ simulation-based definition (McAven, Safavi-Naini, Yung ’04)

  30. the no-cloning problem ◮ Classical NM:

  31. the no-cloning problem ◮ Classical NM:

  32. the no-cloning problem ◮ Classical NM:

  33. the no-cloning problem ◮ Classical NM:

  34. the no-cloning problem ◮ Quantum NM: ! g n i n o l C o N

  35. Quantum symmetric key encryption def: Quantum encryption scheme: ( Enc k , Dec k ) ◮ classical uniformly random key k ◮ encryption map ( Enc k ) A → C , decryption map ( Dec k ) C → ¯ A

  36. Quantum symmetric key encryption def: Quantum encryption scheme: ( Enc k , Dec k ) ◮ classical uniformly random key k ◮ encryption map ( Enc k ) A → C , decryption map ( Dec k ) C → ¯ A ◮ H ¯ A = H A ⊕ C |⊥�

  37. Quantum symmetric key encryption def: Quantum encryption scheme: ( Enc k , Dec k ) ◮ classical uniformly random key k ◮ encryption map ( Enc k ) A → C , decryption map ( Dec k ) C → ¯ A ◮ H ¯ A = H A ⊕ C |⊥� ◮ correctness: Dec k ◦ Enc k = id A

  38. Quantum symmetric key encryption def: Quantum encryption scheme: ( Enc k , Dec k ) ◮ classical uniformly random key k ◮ encryption map ( Enc k ) A → C , decryption map ( Dec k ) C → ¯ A ◮ H ¯ A = H A ⊕ C |⊥� ◮ correctness: Dec k ◦ Enc k = id A ◮ average encryption map: Enc K = E k Enc k

  39. Setup for q-non-malleability ◮ Recall: classical non-malleability setup Bob Alice Mallory

  40. Setup for q-non-malleability ◮ Recall: classical non-malleability setup ◮ add reference system Bob Alice Mallory

  41. Setup for q-non-malleability ◮ Recall: classical non-malleability setup ◮ add reference system ◮ allow side info for adversary Bob Alice Mallory

  42. Setup for q-non-malleability ◮ Recall: classical non-malleability setup ◮ add reference system ◮ allow side info for adversary def: effective map on plaintexts and side info ˜ Λ = E k [ Dec k ◦ Λ ◦ Enc k ] Bob Alice Mallory

  43. New definition ◮ idea: define NM such that Mallory cannot increase her correlations with the honest parties

  44. New definition ◮ idea: define NM such that Mallory cannot increase her correlations with the honest parties ◮ Unavoidable attack: probabilistically discard the ciphertext

  45. New definition ◮ idea: define NM such that Mallory cannot increase her correlations with the honest parties ◮ Unavoidable attack: probabilistically discard the ciphertext ⇒ only allow the unavoidable attack.

  46. New definition ◮ idea: define NM such that Mallory cannot increase her correlations with the honest parties ◮ Unavoidable attack: probabilistically discard the ciphertext ⇒ only allow the unavoidable attack. Definition (Quantum non-malleability (qNM)) A scheme Π = ( Enc k , Dec k ) is non-malleable, if for all states ρ ABR and all attacks Λ CB → C ˜ B , I ( AR : ˜ B ) σ ≤ I ( AR : B ) ρ + h ( p = (Λ , ρ )) , , BR = ˜ with σ A ˜ Λ AB → A ˜ B ( ρ ABR ) .

  47. New definition ◮ idea: define NM such that Mallory cannot increase her correlations with the honest parties ◮ Unavoidable attack: probabilistically discard the ciphertext ⇒ only allow the unavoidable attack. Definition (Quantum non-malleability (qNM)) A scheme Π = ( Enc k , Dec k ) is non-malleable, if for all states ρ ABR and all attacks Λ CB → C ˜ B , I ( AR : ˜ B ) σ ≤ I ( AR : B ) ρ + h ( p = (Λ , ρ )) , BR = ˜ with σ A ˜ Λ AB → A ˜ B ( ρ ABR ) . B ( | φ + �� φ + | CC ′ ⊗ ρ B ) , p = (Λ , ρ ) = F ( tr ˜ B Λ CB → C ˜ | φ + �� φ + | CC ′ ) 2

  48. Alternative characterization ◮ qNM can be characterized in the simulation picture!

Recommend


More recommend