quantum secure message authentication via blind
play

Quantum secure message authentication via blind-unforgeability - PowerPoint PPT Presentation

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob


  1. Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China

  2. Message authentication Alice Bob m

  3. Message authentication Alice Bob m m ′ � … the m m ′ � Internet is a scary place…

  4. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Alice Bob m m ′ � … the m m ′ � Internet is a scary place… acc/rej?

  5. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac )

  6. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k

  7. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k Mac 𝑢

  8. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac a scary place… 𝑢 𝑢 ′ �

  9. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej

  10. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej Note: Bob is only checking consistency with the function .

  11. Message authentication What properties should a MAC satisfy to be secure?

  12. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

  13. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 ))

  14. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � ))

  15. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh)

  16. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh) Key property: unpredictability of . 𝐍𝐛𝐝 𝑙

  17. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists:

  18. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙

  19. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 m 1

  20. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 m 1 m 2

  21. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q …

  22. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q … ( m *, t *)

  23. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *)

  24. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA

  25. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙

  26. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))

  27. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) EUF-CMA doesn’t make sense anymore…

  28. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor?

  29. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))

  30. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) A good predictor: key specifies a random periodic function with period p k f k k , and Mac k ( x ) = f k ( x ) ∀ x ≠ p k Mac k ( p k ) = 0 i) run period finding to find p k ii) output ( p k ,0)

  31. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1

  32. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )

  33. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Has some nice properties: • Equivalent to EUF-CMA for classical oracle • A random function is BZ-unforgeable (BZ ’13)

  34. The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )

  35. The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Is this really right? What does your quantum intuition tell you? What if… • adversary has to fully measure many queries to generate one forgery? (no-cloning)

Recommend


More recommend