Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China
Message authentication Alice Bob m
Message authentication Alice Bob m m ′ � … the m m ′ � Internet is a scary place…
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Alice Bob m m ′ � … the m m ′ � Internet is a scary place… acc/rej?
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac )
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k Mac 𝑢
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac a scary place… 𝑢 𝑢 ′ �
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej
Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej Note: Bob is only checking consistency with the function .
Message authentication What properties should a MAC satisfy to be secure?
Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!
Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 ))
Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � ))
Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh)
Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh) Key property: unpredictability of . 𝐍𝐛𝐝 𝑙
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists:
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 m 1
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 m 1 m 2
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q …
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q … ( m *, t *)
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *)
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))
Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) EUF-CMA doesn’t make sense anymore…
Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor?
Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))
Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) A good predictor: key specifies a random periodic function with period p k f k k , and Mac k ( x ) = f k ( x ) ∀ x ≠ p k Mac k ( p k ) = 0 i) run period finding to find p k ii) output ( p k ,0)
Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1
Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )
Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Has some nice properties: • Equivalent to EUF-CMA for classical oracle • A random function is BZ-unforgeable (BZ ’13)
The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )
The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Is this really right? What does your quantum intuition tell you? What if… • adversary has to fully measure many queries to generate one forgery? (no-cloning)
Recommend
More recommend