quantum secure message authentication via blind
play

Quantum secure message authentication via blind-unforgeability - PowerPoint PPT Presentation

Jan 12, 2024 •603 likes •1.3k views

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob

  1. Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China

  2. Message authentication Alice Bob m

  3. Message authentication Alice Bob m m ′ � … the m m ′ � Internet is a scary place…

  4. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Alice Bob m m ′ � … the m m ′ � Internet is a scary place… acc/rej?

  5. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac )

  6. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k

  7. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k Mac 𝑢

  8. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac a scary place… 𝑢 𝑢 ′ �

  9. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej

  10. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej Note: Bob is only checking consistency with the function .

  11. Message authentication What properties should a MAC satisfy to be secure?

  12. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

  13. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 ))

  14. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � ))

  15. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh)

  16. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh) Key property: unpredictability of . 𝐍𝐛𝐝 𝑙

  17. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists:

  18. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙

  19. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 m 1

  20. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 m 1 m 2

  21. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q …

  22. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q … ( m *, t *)

  23. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *)

  24. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA

  25. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙

  26. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))

  27. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) EUF-CMA doesn’t make sense anymore…

  28. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor?

  29. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))

  30. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) A good predictor: key specifies a random periodic function with period p k f k k , and Mac k ( x ) = f k ( x ) ∀ x ≠ p k Mac k ( p k ) = 0 i) run period finding to find p k ii) output ( p k ,0)

  31. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1

  32. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )

  33. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Has some nice properties: • Equivalent to EUF-CMA for classical oracle • A random function is BZ-unforgeable (BZ ’13)

  34. The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )

  35. The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Is this really right? What does your quantum intuition tell you? What if… • adversary has to fully measure many queries to generate one forgery? (no-cloning)

Recommend

Quantum-secure message authentication via blind-unforgeability Gorjan Alagic, Christian Majenz,

Quantum-secure message authentication via blind-unforgeability Gorjan Alagic, Christian Majenz,

Quantum-secure message authentication via blind-unforgeability Gorjan Alagic, Christian Majenz, Alexander Russell and Fang Song Eurocrypt 2020, in Cyberspace Introduction Integrity and authenticity Integrity and authenticity It says X

785 views • 63 slides
Quantum-Secure Message Authentication Codes Dan Boneh and Mark

Quantum-Secure Message Authentication Codes Dan Boneh and Mark

Quantum-Secure Message Authentication Codes Dan Boneh and Mark Zhandry Stanford University 1/19 Classical Chosen Message Attack (CMA) m i i = S ( k, m i )

658 views • 19 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE Approaches to Message Authentication Secure Hash Functions (SHA) and Keyed- Hash Message Authentication Code (HMAC) Public-Key Cryptography

458 views • 29 slides
THE RANK METHOD AND APPLICATIONS TO QUANTUM LOWER BOUNDS Mark Zhandry Joint work with Dan Boneh

THE RANK METHOD AND APPLICATIONS TO QUANTUM LOWER BOUNDS Mark Zhandry Joint work with Dan Boneh

THE RANK METHOD AND APPLICATIONS TO QUANTUM LOWER BOUNDS Mark Zhandry Joint work with Dan Boneh This Talk Highlight technique from very recent paper: Quantum-Secure Message Authentication Codes Specifically: Quantum Oracle Interrogation

734 views • 25 slides
Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

512 views • 48 slides
References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar & Pelzl Jim Royer Message

224 views • 3 slides
Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Introduction Classical secure channel Quantum secure channel Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May

717 views • 54 slides
Message authentication and digital signatures " Message authentication verify that the

Message authentication and digital signatures " Message authentication verify that the

Message authentication and digital signatures " Message authentication verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non ! repudiation " Two

439 views • 23 slides
Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming identity of

982 views • 46 slides
ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1 Kazuhiko Minematsu 2 Thomas Peyrin 3 Yannick Seurin 4 1 Nagoya University (Japan) and 2 NEC (Japan) 3 NTU (Singapore) and 4 ANSSI (France)

378 views • 35 slides
Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication Trusted Intermediaries Secure email pretty good privacy (PGP) 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key

427 views • 13 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if P = NP Safely & Feasibly Serge Fehr Louis Salvail CWI Amsterdam University of Montral Encryption & Authentication Schemes with

829 views • 62 slides
Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services Authentication Codes Authentication Codes Confidentiality : Symmetric encryption solves Integrity Ahmet Burak Can Authentication Hacettepe

341 views • 4 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

341 views • 21 slides
Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code F033581 Topic 2: Hash Functions and 1 Message Authentication Readings for This Lecture Wikipedia Cryptographic Hash Functions Message

689 views • 25 slides
Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H ulsing

Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H ulsing

Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H ulsing September 20, 2018 A. H ulsing 2MMC10 Cryptology 1 / 12 Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt,

262 views • 22 slides

More recommend