Cryptography for the quantum internet Elements of a quantum TLS - - PowerPoint PPT Presentation

cryptography for the quantum internet
SMART_READER_LITE
LIVE PREVIEW

Cryptography for the quantum internet Elements of a quantum TLS - - PowerPoint PPT Presentation

Nov 12, 2022 582 likes •1.75k views

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

slide-1
SLIDE 1

Cryptography for the quantum internet

Elements of a “quantum TLS”

Christian Majenz

Colloquium Informatics Institute, University of Amsterdam

slide-2
SLIDE 2

Quantum computers

slide-3
SLIDE 3
  • Accelerating effort to build a quantum computer

Quantum computers

slide-4
SLIDE 4
  • Accelerating effort to build a quantum computer
  • Major investments:

Quantum computers

slide-5
SLIDE 5
  • Accelerating effort to build a quantum computer
  • Major investments:

Quantum computers

  • Many applications! (In theory)
  • Quantum chemistry
  • Quantum Key Distribution
  • Quantum Money
  • Cryptanalysis
  • Machine learning
  • Distributed quantum computing
  • Multiparty quantum computation
slide-6
SLIDE 6
  • Accelerating effort to build a quantum computer
  • Major investments:

Quantum computers

  • Many applications! (In theory)
  • Quantum chemistry
  • Quantum Key Distribution
  • Quantum Money
  • Cryptanalysis
  • Machine learning
  • Distributed quantum computing
  • Multiparty quantum computation

Need a quantum network!

slide-7
SLIDE 7

Quantum internet

slide-8
SLIDE 8

Quantum internet

slide-9
SLIDE 9

Quantum internet

slide-10
SLIDE 10

Quantum internet

How can we secure the Quantum internet?

slide-11
SLIDE 11

Internet crypto

Let’s have a look how the classical internet is secured.

slide-12
SLIDE 12

Internet crypto

Let’s have a look how the classical internet is secured.

slide-13
SLIDE 13

Internet crypto

Let’s have a look how the classical internet is secured.

slide-14
SLIDE 14

The TLS protocol

slide-15
SLIDE 15

The TLS protocol

Functionalities

slide-16
SLIDE 16

The TLS protocol

Functionalities

(Server) authentication

slide-17
SLIDE 17

The TLS protocol

Functionalities

Key establishment (Server) authentication

slide-18
SLIDE 18

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication

slide-19
SLIDE 19

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Digital signatures

Protocols

slide-20
SLIDE 20

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Digital signatures

Protocols

slide-21
SLIDE 21

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Protocols

slide-22
SLIDE 22

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication

Cryptographic Ingredients

Key exchange/ Key encapsulation Authenticated encryption Digital signatures Hash functions Block ciphers Modes of

  • peration

Protocols …

slide-23
SLIDE 23

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication

Cryptographic Ingredients

Key exchange/ Key encapsulation Authenticated encryption Digital signatures Hash functions Block ciphers Modes of

  • peration

Quantum- ready? Protocols …

slide-24
SLIDE 24
  • Are we ready for encrypting the quantum internet?
  • Digital signatures I
  • Hash functions
  • Digital signatures II
  • Key exchange/key encapsulation
  • Authenticated Encryption
  • Summary and open problems

Outline

slide-25
SLIDE 25

Digital Signatures I

Are we ready for encrypting the quantum internet?

slide-26
SLIDE 26

Digital signatures

slide-27
SLIDE 27

Digital signatures

Alice Bob

slide-28
SLIDE 28

Digital signatures

Alice Bob

m

slide-29
SLIDE 29

Digital signatures

Alice Bob

sk pk m

slide-30
SLIDE 30

Digital signatures

Alice Bob

sk pk σ = Signsk(m) m

slide-31
SLIDE 31

Digital signatures

(m, σ)

Alice Bob

sk pk σ = Signsk(m) m

slide-32
SLIDE 32

Digital signatures

(m, σ)

Alice Bob

sk pk Verpk(m, σ) = accept σ = Signsk(m) m

slide-33
SLIDE 33

Digital signatures

(m, σ)

Alice Bob

sk pk Verpk(m, σ) = accept σ = Signsk(m) m

Security: If was produced from without using , then

(m′ , σ′ ) (m, σ) sk Verpk(m′ , σ′ ) = reject

slide-34
SLIDE 34

Digital signatures

(m, σ)

Alice Bob

sk pk Verpk(m, σ) = accept σ = Signsk(m) m

Security: If was produced from without using , then

(m′ , σ′ ) (m, σ) sk Verpk(m′ , σ′ ) = reject

Slightly simplified…

slide-35
SLIDE 35

Quantum digital signatures

What about signatures for quantum messages?

slide-36
SLIDE 36

Quantum digital signatures

What about signatures for quantum messages? Theorem (Barnum et al. ’02; Alagic, Gagliardoni, M ’18): Quantum information cannot be signed.

slide-37
SLIDE 37

Quantum digital signatures

What about signatures for quantum messages? Theorem (Barnum et al. ’02; Alagic, Gagliardoni, M ’18): Quantum information cannot be signed. Consequence of linearity of quantum theory, uses tools like “Channel Uhlman” (Kretschman ’06)

slide-38
SLIDE 38

Quantum digital signatures

What about signatures for quantum messages? Theorem (Barnum et al. ’02; Alagic, Gagliardoni, M ’18): Quantum information cannot be signed.

Is this the end of “Project Quantum TLS”?

Consequence of linearity of quantum theory, uses tools like “Channel Uhlman” (Kretschman ’06)

slide-39
SLIDE 39

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-40
SLIDE 40

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Quantum

Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-41
SLIDE 41

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Quantum Quantum

Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-42
SLIDE 42

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Quantum Quantum “post-quantum”

Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-43
SLIDE 43

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Quantum Quantum “post-quantum”

😆

Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-44
SLIDE 44

Hash Functions

Are we ready for encrypting the quantum internet?

slide-45
SLIDE 45

Hash functions

VvegyqO kSTbfH3 bnHHLM

H

slide-46
SLIDE 46

Hash functions

VvegyqO kSTbfH3 bnHHLM

Ubiquitous in cryptography. Examples:

  • Key encapsulation mechanisms
  • Digital signatures
  • Message authentication codes

H

slide-47
SLIDE 47

Hash function security

slide-48
SLIDE 48

Hash function security

Output should look random! Formalization difficult…

slide-49
SLIDE 49

Hash function security

Output should look random! Formalization difficult… just model as random, “Random Oracle Model” (ROM)

⟹ H

slide-50
SLIDE 50

Hash function security

Output should look random! Formalization difficult… just model as random, “Random Oracle Model” (ROM)

⟹ H

Reality

slide-51
SLIDE 51

Hash function security

Output should look random! Formalization difficult… just model as random, “Random Oracle Model” (ROM)

⟹ H

Reality Model Uniformly random

H : {0,1}* → {0,1}n

All agents have

  • racle access to H
slide-52
SLIDE 52

Hash function security

Output should look random! Formalization difficult… just model as random, “Random Oracle Model” (ROM)

⟹ H

Reality Model Uniformly random

H : {0,1}* → {0,1}n

All agents have

  • racle access to H

quantum Quantum Random Oracle Model (Boneh et al. ’10)

slide-53
SLIDE 53

Digital Signatures II

Are we ready for encrypting the quantum internet?

slide-54
SLIDE 54

Digital signatures

(m, σ)

Alice Bob

sk pk Verpk(m, σ) = accept σ = Signsk(m) m

Security: If was produced from without using , then

(m′ , σ′ ) (m, σ) sk Verpk(m′ , σ′ ) = reject

slide-55
SLIDE 55

Digital signatures

(m, σ)

Alice Bob

sk pk Verpk(m, σ) = accept σ = Signsk(m) m

Security: If was produced from without using , then

(m′ , σ′ ) (m, σ) sk Verpk(m′ , σ′ ) = reject

Computed in polynomial time

slide-56
SLIDE 56

Digital signatures

(m, σ)

Alice Bob

sk pk Verpk(m, σ) = accept σ = Signsk(m) m

Security: If was produced from without using , then

(m′ , σ′ ) (m, σ) sk Verpk(m′ , σ′ ) = reject

Computed in quantum polynomial time

post-quantum

slide-57
SLIDE 57

NIST competition

slide-58
SLIDE 58

NIST competition

Goal: Standardize post-quantum secure signatures and key encapsulation mechanisms.

slide-59
SLIDE 59

NIST competition

Goal: Standardize post-quantum secure signatures and key encapsulation mechanisms.

4/9 round 2 signature schemes use Fiat Shamir transformation

slide-60
SLIDE 60

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions Like signature but with interactive verification

slide-61
SLIDE 61

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions Digital signature scheme

slide-62
SLIDE 62

Well-known: Security in the Random Oracle Model

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions Digital signature scheme

slide-63
SLIDE 63

Well-known: Security in the Random Oracle Model

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions How about the Quantum Random Oracle Model (QROM)? Digital signature scheme

slide-64
SLIDE 64

Well-known: Security in the Random Oracle Model

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Digital signature scheme

slide-65
SLIDE 65

Well-known: Security in the Random Oracle Model

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Also proven concurrently by Liu, Zhandry. Less tight reduction. Digital signature scheme

slide-66
SLIDE 66

Well-known: Security in the Random Oracle Model

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Also proven concurrently by Liu, Zhandry. Less tight reduction. Digital signature scheme

More efficient NIST candidate signature schemes!!!

slide-67
SLIDE 67

Well-known: Security in the Random Oracle Model

Fiat Shamir transformation

Removes interaction from identification schemes using hash functions How about the Quantum Random Oracle Model (QROM)? Theorem (Don, Fehr, M, Schaffner ’19): Fiat Shamir signatures are secure in the QROM. Also proven concurrently by Liu, Zhandry. Less tight reduction. Digital signature scheme

More efficient NIST candidate signature schemes!!!

slide-68
SLIDE 68

Key Exchange

Are we ready for encrypting the quantum internet?

slide-69
SLIDE 69

Post-quantum key exchange

This is what Quantum Key Distribution (QKD) can do!*

slide-70
SLIDE 70

Post-quantum key exchange

This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!!

slide-71
SLIDE 71

Post-quantum key exchange

This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!! Alternative: post-quantum secure Key Encapsulation

slide-72
SLIDE 72

Post-quantum key exchange

This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!! Alternative: post-quantum secure Key Encapsulation

+Classical

more efficient

slide-73
SLIDE 73

Post-quantum key exchange

This is what Quantum Key Distribution (QKD) can do!* Unconditionally secure!! Alternative: post-quantum secure Key Encapsulation

+Classical

more efficient

‒Computational assumptions (similar to signatures, current

internet crypto…)

slide-74
SLIDE 74

Authenticated Encryption

Are we ready for encrypting the quantum internet?

slide-75
SLIDE 75

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Quantum Quantum “post-quantum”

Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-76
SLIDE 76

The TLS protocol

Functionalities

Key establishment Secure communication Session (Server) authentication Key exchange/ Key encapsulation Authenticated encryption Digital signatures

Quantum Quantum “post-quantum”

Hash functions Block ciphers Modes of

  • peration

Cryptographic Ingredients Quantum- ready? Protocols

slide-77
SLIDE 77

Authenticated Encryption

slide-78
SLIDE 78

Authenticated Encryption

Alice Bob

slide-79
SLIDE 79

Authenticated Encryption

Alice Bob

m

slide-80
SLIDE 80

Authenticated Encryption

Alice Bob

k m k

slide-81
SLIDE 81

Authenticated Encryption

Alice Bob

k c = Enck(m) m k

slide-82
SLIDE 82

Authenticated Encryption

c

Alice Bob

k c = Enck(m) m k

slide-83
SLIDE 83

Authenticated Encryption

c

Alice Bob

k Deck(c) = m c = Enck(m) m k

slide-84
SLIDE 84

Authenticated Encryption

c

Alice Bob

k Deck(c) = m c = Enck(m) m k

Confidentiality: doesn’t tell you anything about .

c m

slide-85
SLIDE 85

Authenticated Encryption

c

Alice Bob

k Deck(c) = m c = Enck(m) m k

Confidentiality: doesn’t tell you anything about .

c m

Integrity: If was produced from without using , then

c′ c k Deck(c′ ) = reject

slide-86
SLIDE 86

Authenticated Encryption

c

Alice Bob

k Deck(c) = m c = Enck(m) m k

Confidentiality: doesn’t tell you anything about .

c m

Integrity: If was produced from without using , then

c′ c k Deck(c′ ) = reject

Slightly simplified…

slide-87
SLIDE 87

Authenticated Encryption

c

Alice Bob

k Deck(c) = m c = Enck(m) m k

Confidentiality: doesn’t tell you anything about .

c m

Integrity: If was produced from without using , then

c′ c k Deck(c′ ) = reject

Confidentiality+Integrity=Authenticated encryption

slide-88
SLIDE 88

Real vs. Ideal

Alternative characterization (Shrimpton ’04):

slide-89
SLIDE 89

Real vs. Ideal

Real Ideal Alternative characterization (Shrimpton ’04):

slide-90
SLIDE 90

Real vs. Ideal

Real Ideal

Enck Deck

Alternative characterization (Shrimpton ’04):

slide-91
SLIDE 91

Real vs. Ideal

Real Ideal

Enck Enck Deck

$ Alternative characterization (Shrimpton ’04):

slide-92
SLIDE 92

Real vs. Ideal

Real Ideal

Enck Enck Deck

$

reject

Alternative characterization (Shrimpton ’04):

slide-93
SLIDE 93

Real vs. Ideal

Real Ideal

Enck Enck Deck

$

reject

Except that = Alternative characterization (Shrimpton ’04):

slide-94
SLIDE 94

Real vs. Ideal

Real Ideal

Enck Enck Deck

$

reject

Except that = Enforced by keeping a list Of input-output-pairs

  • f

Alternative characterization (Shrimpton ’04):

slide-95
SLIDE 95

Quantum authenticated encryption

Except that = Enforced by keeping a list Of input-output-pairs

  • f
slide-96
SLIDE 96

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts…

slide-97
SLIDE 97

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem!

slide-98
SLIDE 98

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier”

slide-99
SLIDE 99

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier”

Problem 2: Measurement disturbance

slide-100
SLIDE 100

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier”

Solution 1: Purify “$” Problem 2: Measurement disturbance

Enck

$

slide-101
SLIDE 101

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier”

Solution 1: Purify “$” Problem 2: Measurement disturbance

Solution 2: Even CPA-secure encryption is randomized… record the randomness!

slide-102
SLIDE 102

Quantum authenticated encryption

Problem 1: requires copying quantum ciphertexts… forbidden by quantum no-cloning theorem! “Recording Barrier”

Solution 1: Purify “$” Alagic, Gagliardoni, M ‘18: Definition of quantum authenticated encryption

  • Reduces to authenticated encryption for classical schemes
  • Can be satisfied with simple hybrid encryption

Problem 2: Measurement disturbance

Solution 2: Even CPA-secure encryption is randomized… record the randomness!

slide-103
SLIDE 103

Summary and open problems

slide-104
SLIDE 104
  • Are we ready for encrypting the quantum internet?

Summary and open problems

slide-105
SLIDE 105
  • Are we ready for encrypting the quantum internet?

To some extent:

Summary and open problems

slide-106
SLIDE 106
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

Summary and open problems

slide-107
SLIDE 107
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures

Summary and open problems

slide-108
SLIDE 108
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed

Summary and open problems

slide-109
SLIDE 109
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed
  • This is just the beginning, many interesting questions:

Summary and open problems

slide-110
SLIDE 110
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed
  • This is just the beginning, many interesting questions:
  • Ongoing work: is quantum communication provably necessary for

unconditional security à la QKD?

Summary and open problems

slide-111
SLIDE 111
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed
  • This is just the beginning, many interesting questions:
  • Ongoing work: is quantum communication provably necessary for

unconditional security à la QKD?

  • Signatures are used everywhere. Ramifications of impossibility?

Summary and open problems

slide-112
SLIDE 112
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed
  • This is just the beginning, many interesting questions:
  • Ongoing work: is quantum communication provably necessary for

unconditional security à la QKD?

  • Signatures are used everywhere. Ramifications of impossibility?
  • Can we have more efficient quantum authenticated encryption from

“quantum block ciphers”

Summary and open problems

slide-113
SLIDE 113
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed
  • This is just the beginning, many interesting questions:
  • Ongoing work: is quantum communication provably necessary for

unconditional security à la QKD?

  • Signatures are used everywhere. Ramifications of impossibility?
  • Can we have more efficient quantum authenticated encryption from

“quantum block ciphers”

  • Do “quantum block ciphers” exist?

Summary and open problems

slide-114
SLIDE 114
  • Are we ready for encrypting the quantum internet?

To some extent:

  • Quantum digital signatures are impossible, but not needed for this

purpuse

  • We have efficient quantum-secure digital signatures
  • Quantum Authenticated Encryption can be defined and constructed
  • This is just the beginning, many interesting questions:
  • Ongoing work: is quantum communication provably necessary for

unconditional security à la QKD?

  • Signatures are used everywhere. Ramifications of impossibility?
  • Can we have more efficient quantum authenticated encryption from

“quantum block ciphers”

  • Do “quantum block ciphers” exist?
  • Noninteractive verification of quantum computation…

Summary and open problems

slide-115
SLIDE 115

Thank you very much for your attention! =

Enck

$