quantum authentication and encryption with key recycling
play

Quantum Authentication and Encryption with Key Recycling Or: How to - PowerPoint PPT Presentation

Mar 18, 2023 •201 likes •829 views

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if P = NP Safely & Feasibly Serge Fehr Louis Salvail CWI Amsterdam University of Montral Encryption & Authentication Schemes with

  1. Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if P = NP — Safely & Feasibly Serge Fehr Louis Salvail CWI Amsterdam University of Montréal

  2. Encryption & Authentication Schemes with information theoretic security One-time pad: E k ( m ) = m + k Universal hashing, e.g.: MAC A,b ( m ) = Am + b

  3. Encryption & Authentication Schemes with information theoretic security One-time pad: E k ( m ) = m + k Universal hashing, e.g.: MAC A,b ( m ) = Am + b Well-known disadvantage: key cannot be re-used Reason: Eve can learn info on key by observing cipher Even worse: such attack remains undetected

  4. Encryption & Authentication Schemes with information theoretic security One-time pad: E k ( m ) = m + k Universal hashing, e.g.: MAC A,b ( m ) = Am + b Well-known disadvantage: key cannot be re-used Reason: Eve can learn info on key by observing cipher Even worse: such attack remains undetected Thus, key has to be refreshed even if not under attack

  5. General Idea To use a quantum ciphertext (or tag) instead so that any eavesdropping attack will disturb it

  6. General Idea To use a quantum ciphertext (or tag) instead so that any eavesdropping attack will disturb it We may hope for: Encode ciphertext (or tag) c into a quantum state | c ñ〉 Check upon arrival if | c ñ〉 is still in “good form” Conclude: no eavesdropping took place

  7. General Idea To use a quantum ciphertext (or tag) instead so that any eavesdropping attack will disturb it We may hope for: Encode ciphertext (or tag) c into a quantum state | c ñ〉 Check upon arrival if | c ñ〉 is still in “good form” Conclude: no eavesdropping took place Would allow for: unbounded safe re-use of the key as long as not under attack

  8. Known Results - and our Results General idea goes back to [Bennett, Brassard & Breidbart 1982]: proposed a simple scheme gave hand-wavy arguments for its security

  9. Known Results - and our Results General idea goes back to [Bennett, Brassard & Breidbart 1982]: proposed a simple scheme gave hand-wavy arguments for its security Their paper got rejected, and idea was abandoned - until...

  10. Known Results - and our Results General idea goes back to [Bennett, Brassard & Breidbart 1982]: proposed a simple scheme gave hand-wavy arguments for its security Their paper got rejected, and idea was abandoned - until... [Damgård, Pedersen, Salvail 2005]: proposed a new scheme with rigorous security proof But: honest users need quantum computing capabilities

  11. Known Results - and our Results General idea goes back to [Bennett, Brassard & Breidbart 1982]: proposed a simple scheme gave hand-wavy arguments for its security Their paper got rejected, and idea was abandoned - until... [Damgård, Pedersen, Salvail 2005]: proposed a new scheme with rigorous security proof But: honest users need quantum computing capabilities Our result: new simple scheme, based on BB84 qubits rigorous security proof

  12. Known Results - and our Results General idea goes back to [Bennett, Brassard & Breidbart 1982]: Related line of work: proposed a simple scheme encryption/authentication of quantum messages gave hand-wavy arguments for its security Some also offer key recycling and/or other features Their paper got rejected, and idea was abandoned - until... (see e.g. Portmann’s talk) [Damgård, Pedersen, Salvail 2005]: But, in all of those: honest users need quantum computer proposed a new scheme with rigorous security proof (even when restricting to classical messages) But: honest users need quantum computing capabilities Our result: new simple scheme, based on BB84 qubits rigorous security proof

  13. Encryption with Key-Recycling vs QKD Allow for almost the same There are subtle differences

  14. Encryption with Key-Recycling vs QKD Allow for almost the same There are subtle differences Encryption with key recycling: non-interactive (up to the ``feedback”) only a 1-bit message is to be authenticated, offline potential for better efficiency

  15. Encryption with Key-Recycling vs QKD Allow for almost the same There are subtle differences Encryption with key recycling: non-interactive (up to the ``feedback”) only a 1-bit message is to be authenticated, offline potential for better efficiency QKD: adaptively adjust to the noise

  16. Encryption with Key-Recycling vs QKD Allow for almost the same There are subtle differences Encryption with key recycling: non-interactive (up to the ``feedback”) only a 1-bit message is to be authenticated, offline potential for better efficiency QKD: adaptively adjust to the noise Our main motivation: intellectual interest

  17. Road Map Introduction The basic scheme and its analysis Extensions and open problem(s)

  18. Authentication with Key-Recycling The scheme m

  19. Authentication with Key-Recycling qθ , k qθ , k The scheme m

  20. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ x ¬← {0,1} n

  21. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ x ¬← {0,1} n …⋰ + × × + × + × × + qθ …⋰ x 1 1 0 0 1 0 1 0 1 …⋰ H qθ | x ñ〉 ↕ ︎ ︎ ︎ ︎ ↕ ↕ ↕ ↕ ↕ ↕ ︎ ︎ ︎ ↕ ︎ ↕ ︎

  22. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 , t = MAC k ( m || x ) H qθ x ¬← {0,1} n

  23. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 , t = MAC k ( m || x ) H qθ x ¬← {0,1} n m = A [ ] + b x

  24. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x

  25. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x Claims (informal) Offers authentication security

  26. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x Claims (informal) o b v i Offers authentication security o u s l y

  27. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x Claims (informal) Offers authentication security If Bob accepts then key ( qθ , k ) can be safely re-used

  28. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x Claims (informal) Offers authentication security If Bob accepts then key ( qθ , k ) can be safely re-used If Bob rejects then qθ (only) must be refreshed

  29. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x Intuition: If Eve gets to see authentication tags Claims (informal) Offers authentication security t i = MAC k ( m i ) = Am i + b If Bob accepts then key ( qθ , k ) can be safely re-used for known messages m 1 , m 2 ,... and a fixed key k = ( A , b ) , and so accumulates (linear) info on k and can solve for it. If Bob rejects then qθ (only) must be refreshed

  30. Authentication with Key-Recycling qθ , k qθ , k The scheme m | x ñ〉 H qθ , t = MAC k ( m || x ) x ¬← {0,1} n recover x m = A [ ] + b check t x Intuition: If Eve gets to see authentication tags Claims (informal) Offers authentication security t i = MAC k ( m i ) = Am i + b If Bob accepts then key ( qθ , k ) can be safely re-used for known messages m 1 , m 2 ,... and a fixed key k = ( A , b ) , and so accumulates (linear) info on k and can solve for it. If Bob rejects then qθ (only) must be refreshed But here : authenticated message m || x is partly unknown , | x ñ〉 hides x (to some extent) when qθ is unknown. since H qθ

  31. An “Attack” qθ , k qθ , k m H qθ 1 | x 1 ñ〉 Ä⊗ H qθ 2 | x 2 ñ〉 Ä⊗ …⋰ , t x ¬← {0,1} n recover x check t

  32. An “Attack” qθ , k qθ , k m H qθ 1 | x 1 ñ〉 Ä⊗ H qθ 2 | x 2 ñ〉 Ä⊗ …⋰ , t x ¬← {0,1} n recover x check t Eve measures 1st qubit as if qθ 1 = 0

  33. An “Attack” qθ , k qθ , k m H qθ 1 | x 1 ñ〉 Ä⊗ H qθ 2 | x 2 ñ〉 Ä⊗ …⋰ , t x ¬← {0,1} n recover x check t Eve measures 1st qubit as if qθ 1 = 0 Effect: If qθ 1 = 0 then she learns x 1 , H qθ 1 | x 1 ñ〉 is unaffected Bob accepts

  34. An “Attack” qθ , k qθ , k m H qθ 1 | x 1 ñ〉 Ä⊗ H qθ 2 | x 2 ñ〉 Ä⊗ …⋰ , t x ¬← {0,1} n recover x check t Eve measures 1st qubit as if qθ 1 = 0 Effect: If qθ 1 = 0 then If qθ 1 = 1 then she learns x 1 , she does not learn x 1 , H qθ 1 | x 1 ñ〉 is unaffected H qθ 1 | x 1 ñ〉 gets disturbed Bob accepts Bob rejects with prob. »≈ 1/2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Introduction Classical secure channel Quantum secure channel Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May

717 views • 54 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael

Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael

11/12/09 Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael Kirkpatrick, Elisa Bertino Purdue University Frederick Sheldon Oak Ridge National Laboratory DHS: S&T Workshop on Future Directions in

438 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

Implementing scalable CAN Security with CANcrypt by Olaf Pfeiffer CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record and re-play messages Can trigger desired actions Re-engineering

320 views • 21 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob

1.3k views • 68 slides
tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101: Encryption without authentication is useless. Encryption without authentication is like meeting a stranger in a

813 views • 31 slides
Count Review Joe Francis Jan Vink Program on Applied Demographics Web:

Count Review Joe Francis Jan Vink Program on Applied Demographics Web:

Count Review Joe Francis Jan Vink Program on Applied Demographics Web: http://pad.human.cornell.edu Email: PADInfo@Cornell.edu What is Count Review? Effort by the FSCPE Effort to improve the Census Two parts: Housing Units

321 views • 11 slides
h h h h C 3 = H ( M ) IV= C 0 C 1 C 2 C 3 256 1 Davis-Meyer 2 algorithm SHA256BC (w, a b c d

h h h h C 3 = H ( M ) IV= C 0 C 1 C 2 C 3 256 1 Davis-Meyer 2 algorithm SHA256BC (w, a b c d

MerkleDamgrd Hash Pad( M ) determines M |Pad( M )| is a positive multiple of n | M |=| M | |Pad( M )|=|Pad( M )| | M || M | last(Pad( M )) last(Pad( M )) 100 512 M 1 M 2 M 3 M 4 Pad 512 10*| M | M 1 M 2 M 3 M 4 h

365 views • 5 slides
SI View Aquatic Center Schematic Design Aquatic Center Bather Loads 667 Total Pool Bather Load

SI View Aquatic Center Schematic Design Aquatic Center Bather Loads 667 Total Pool Bather Load

SI View Aquatic Center Schematic Design Aquatic Center Bather Loads 667 Total Pool Bather Load Bathers Rec 260 Bathers Lap 341 Bathers Spl. Pad 144 Bathers Slide 1 Bather Recreation and Leisure Pool Pool Highlights 4,600 Square

206 views • 9 slides
Final Assembly Chip Core Your final project chip consists of a core The Chip Core is

Final Assembly Chip Core Your final project chip consists of a core The Chip Core is

Final Assembly Chip Core Your final project chip consists of a core The Chip Core is everything that is inside and a pad ring the Pad Ring Core is the guts Try to floorplan your core so that its as small a rectangle as

230 views • 11 slides
Measuring Methane Emissions from Oil and Natural Gas Well Pads in the Barnett Shale Using the

Measuring Methane Emissions from Oil and Natural Gas Well Pads in the Barnett Shale Using the

Measuring Methane Emissions from Oil and Natural Gas Well Pads in the Barnett Shale Using the Mobile Flux Plane Technique Graham Leggett, Chris W. Rella * , Tracy R. Tsai, Connor G. Botkin, Eric R. Crosson, David Steele NOAA GMD 2015 Methane

317 views • 12 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
Compress Objects, Not Cache Lines: An Object-Based Compressed Memory Hierarchy Po-An Tsai and

Compress Objects, Not Cache Lines: An Object-Based Compressed Memory Hierarchy Po-An Tsai and

Compress Objects, Not Cache Lines: An Object-Based Compressed Memory Hierarchy Po-An Tsai and Daniel Sanchez Prior memory compression techniques are limited to compressing cache lines 2 Prior memory compression techniques are limited to

1.61k views • 112 slides
Simulation of the ILD TPC with pixel readout Kees Ligtenberg LCTPC Collaboration meeting January

Simulation of the ILD TPC with pixel readout Kees Ligtenberg LCTPC Collaboration meeting January

Simulation of the ILD TPC with pixel readout Kees Ligtenberg LCTPC Collaboration meeting January 14, 2020 Kees Ligtenberg (Nikhef) Pixel TPC simulation January 14, 2020 1 / 12 Introduction In order to study the tracking performance of a

585 views • 19 slides

More recommend