Quantum Authentication with Key Recycling Christopher Portmann - - PowerPoint PPT Presentation

Introduction Classical secure channel Quantum secure channel

Quantum Authentication with Key Recycling

Christopher Portmann

• Dept. Physics, ETH Zurich, Switzerland
• Dept. of Computer Science, ETH Zurich, Switzerland

EUROCRYPT 2017, Paris, 4 May

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel

Authentication and Encryption of Quantum Messages with Key Recycling

Christopher Portmann

• Dept. Physics, ETH Zurich, Switzerland
• Dept. of Computer Science, ETH Zurich, Switzerland

EUROCRYPT 2017, Paris, 4 May

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Overview of results

Analyze a subset of the family of Q-MACs from Barnum, Crépeau, Gottesman, Smith, Tapp [FOCS 2002] Prove that all the key can be recycled upon accepting the message. Prove that part of the key can be recycled upon rejecting the message, and that this is optimal (= the rest is leaked). Composable security proof using the Abstract/Constructive Cryptography framework [Maurer, Renner, 2011].

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (classical)

Classical MACs: Message x Family of hash functions {fk} Key (k1, k2) Tag t := fk1(x) ⊕ k2 Wegman, Carter [1981], P[2014] New key k2 needed for every new message x. k1 can be recycled!

t′ ? = fk1(x′) ⊕ k2 (x, t) (x′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (classical)

Classical MACs: Message x Family of hash functions {fk} Key (k1, k2) Tag t := fk1(x) ⊕ k2 Wegman, Carter [1981], P[2014] New key k2 needed for every new message x. k1 can be recycled!

t′ ? = fk1(x′) ⊕ k2 (x, t) (x′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (quantum)

Authentic channel A x x x

No cloning! If Bob gets ρ, then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (quantum)

Authentic channel A ρ ρ ρ

No cloning! If Bob gets ρ, then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (quantum)

Secure channel S ρ ρ ρ

No cloning! If Bob gets ρ, then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (quantum)

Secure channel S ρ ρ ρ

No cloning! If Bob gets ρ, then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Overview Main idea

Key recycling (quantum)

Secure channel S ρ ρ ρ

No cloning! If Bob gets ρ, then Eve doe not. If Bob can verify that he received the correct cipher, Eve has no information about it. = ⇒ Eve has no information about the key either. = ⇒ Key can be recycled! Same principal as quantum key distribution.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an authentic channel

Secret key K Insecure channel R

πauth

A

πauth

B

x x′, ⊥ k k (x, t) (x′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an authentic channel

Secret key K Insecure ch. R πauth

A

πauth

B

x x′, ⊥ k k (x, t) (x′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an authentic channel

Secret key K Insecure ch. R πauth

A

πauth

B

x x′, ⊥ k k (x, t) (x′, t′)

Authentic ch. A

x x, ⊥ x 0, 1

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an authentic channel

Secret key K Insecure ch. R πauth

A

πauth

B

x x′, ⊥ k k (x, t) (x′, t′)

Authentic ch. A σauth

E

x x, ⊥ x 0, 1 (x, t) (x′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an authentic channel

Secret key K Insecure ch. R πauth

A

πauth

B

x x′, ⊥ k k (x, t) (x′, t′)

Authentic ch. A σauth

E

x x, ⊥ x 0, 1 (x, t) (x′, t′)

Two systems R and S are ε-close if no distinguisher can tell them apart except with advantage ε, R ≈ε S ⇐ ⇒ sup

D

|Pr[D(R) = 1] − Pr[D(S) = 1]| ≤ ε.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an authentic channel

Secret key K Insecure ch. R πauth

A

πauth

B

x x′, ⊥ k k (x, t) (x′, t′)

Authentic ch. A σauth

E

x x, ⊥ x 0, 1 (x, t) (x′, t′)

(πauth

A

, πauth

B

) constructs A from KR with error ε, if there exists a simulator σauth

E

such that the dashed boxes are ε-close. KR

πauth,ε

− − − − → A ⇐ ⇒ ∃σauth

E

s.t. πauth

A

πauth

B

(KR) ≈ε σauth

E

A.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure channel from an authentic ch.

Secret key K Authentic ch. A πotp

A

c = x ⊕ k

πotp

B

x x, ⊥ k k c c 0, 1

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure channel from an authentic ch.

Secret key K Authentic ch. A πotp

A

c = x ⊕ k

πotp

B

x x, ⊥ k k c c 0, 1

Secure ch. S

x x, ⊥ |x| 0, 1

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure channel from an authentic ch.

Secret key K Authentic ch. A πotp

A

c = x ⊕ k

πotp

B

x x, ⊥ k k c c 0, 1

Secure ch. S σotp

E

x x, ⊥ |x| c 0, 1

(πotp

A , πotp B ) constructs S from KA with error 0,

πotp

A πotp B

(KA) = σotp

E S =

⇒ KA

πotp,0

− − − → S

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an insecure ch. (1)

Key K1 Key K2

• Ch. R

πotp

A

πauth

A

πotp

B

πauth

B

x x, ⊥ k1 k1 k2 k2 c c′ (c, t) (c′, t′)

Secure ch. S σotp

E

σauth

E

x x, ⊥ |x| 0, 1 c (c, t) (c′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an insecure ch. (1)

Key K1 Key K2

• Ch. R

πotp

A

πauth

A

πotp

B

πauth

B

x x, ⊥ k1 k1 k2 k2 c c′ (c, t) (c′, t′)

Secure ch. S σotp

E

σauth

E

x x, ⊥ |x| 0, 1 c (c, t) (c′, t′)

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an insecure ch. (1)

Key K1 Key K2

• Ch. R

πotp

A

πauth

A

πotp

B

πauth

B

x x, ⊥ k1 k1 k2 k2 c c′ (c, t) (c′, t′)

πotp

A

• πauth

A

πotp

B

• πauth

B

Secure ch. S σE

x x, ⊥ |x| 0, 1 c (c, t) (c′, t′)

K2R

πauth,ε

− − − − → A K1A

πotp,0

− − − → S    = ⇒ K1K2R

πotp◦πauth,ε

− − − − − − − → S. (πotp

A ◦πauth A

, πotp

B ◦πauth B

) constructs S from K1K2A with error ε.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an XOR-malleable, confidential channel

Secret key K Insecure ch. R πotp

A

c = x ⊕ k

πotp

B

x′ = c′ ⊕ k x x′ k k c c′

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an XOR-malleable, confidential channel

Secret key K Insecure ch. R πotp

A

c = x ⊕ k

πotp

B

x′ = c′ ⊕ k x x′ k k c c′

Malleable ch. C

⊕ x x′ = x ⊕ e |x| e

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing an XOR-malleable, confidential channel

Secret key K Insecure ch. R πotp

A

c = x ⊕ k

πotp

B

x′ = c′ ⊕ k x x′ k k c c′

Malleable ch. C

⊕

e = c ⊕ c′ σxor

E

x x′ = x ⊕ e |x| e c c′

(πotp

A , πotp B ) constructs C from KR with error 0,

πotp

A πotp B

(KR) = σotp

E C =

⇒ KR

πotp,0

− − − → C

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an XOR-malleable ch.

Secret key K Malleable ch. C

⊕

πcode

A

πcode

B

x x′, ⊥ k k y |y| e y′

Secure ch. S

We need to catch errors Fe := “ ⊕ e”. x x, ⊥ |x| 0, 1

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an XOR-malleable ch.

Secret key K Malleable ch. C

⊕

πcode

A

πcode

B

y = Ck(x|0) (x′|s) = C−1

k y′

x x′, ⊥ k k y |y| e y′

Secure ch. S

We need to catch errors Fe := “ ⊕ e”. x x, ⊥ |x| 0, 1

Let Ck be a linear code with y = Ck(x|0). Let Fk be the set of bit flips that are not detected, i.e., Fe ∈ Fk ⇐ ⇒ C−1

k FeCk(x|0) = x′|0.

Let C = {Ck}k catch all errors with high probability i.e., ∀Fe, Prk[Fe ∈ Fk] ≤ ε.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an XOR-malleable ch.

Secret key K Malleable ch. C

⊕

πcode

A

πcode

B

y = Ck(x|0) (x′|s) = C−1

k y′

x x′, ⊥ k k y |y| e y′

Secure ch. S σcode

E

x x, ⊥ |x| 0, 1 |y| e

(πcode

A

, πcode

B

) constructs S from KC with error ε, πcode

A

πcode

B

(KC) ≈ε σcode

E

S = ⇒ KC

πcode,ε

− − − − → S

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Constructing a secure ch. from an insecure ch. (2)

Secret key K Insecure ch. R πcode

A

• πotp

A

πcode

B

• πotp

B

x x′, ⊥ k k c c′

Secure ch. S σE

x x, ⊥ |x| 0, 1 c c′

Encrypt: c = Ck1(x|0) ⊕ k2, Decrypt: (x′|s) = C−1

k1 (c′ ⊕ k2)

If s = 0, output x′, otherwise output ⊥. (πcode

A

• πotp

A , πcode B

• πotp

B ) constructs S from KR with error ε,

KR

πcode◦πotp,ε

− − − − − − − → S.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Recycling key

Secret key K Insecure ch. R πcode

A

• πotp

A

πcode

B

• πotp

B

x x′, ⊥ k k c c′

Secure ch. S

x x, ⊥ |x| 0, 1

k1 is hidden by the one-time pad: c = Ck1(x|0) ⊕ k2, = ⇒ it can be recycled! Bob must confirm reception of c′, before Alice recycles k1, − → need a backwards authentic channel A.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Recycling key

Secret key K Authentic ch. A b

b 0, 1

Insecure ch. R πA πB

x x′, ⊥ k1, ⊥ k1 k k c c′

Secure ch. S

x x, ⊥ |x| 0, 1

k1 is hidden by the one-time pad: c = Ck1(x|0) ⊕ k2, = ⇒ it can be recycled! Bob must confirm reception of c′, before Alice recycles k1, − → need a backwards authentic channel A.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Recycling key

Secret key K Authentic ch. A b

b 0, 1

Insecure ch. R πA πB

x x′, ⊥ k1, ⊥ k1 k k c c′

Secret key K′

key

k1, ⊥ k1 1 0, 1

Secure ch. S

x x, ⊥ |x| 0, 1

k1 is hidden by the one-time pad: c = Ck1(x|0) ⊕ k2, = ⇒ it can be recycled! Bob must confirm reception of c′, before Alice recycles k1, − → need a backwards authentic channel A.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel From an authentic channel From an XOR-malleable, confidential channel Key recycling

Recycling key

Secret key K Authentic ch. A b

b 0, 1

Insecure ch. R πA πB

x x′, ⊥ k1, ⊥ k1 k k c c′

Secret key K′

key

σE

k1, ⊥ k1 1

Secure ch. S

x x, ⊥ |x| 0, 1 b c c′ 0, 1

k1 is hidden by the one-time pad: c = Ck1(x|0) ⊕ k2, = ⇒ it can be recycled! Bob must confirm reception of c′, before Alice recycles k1, − → need a backwards authentic channel A. KAR

π,ε

− − → K′S.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Dictionary

Classical Message: x ∈ {0, 1}m. One-time pad: k ∈ {0, 1}m, c = x ⊕ k = Fkm. Code Ck with y = Ck(x|0). Fe ∈ Fk if code Ck fails to detect error Fe. Family C = {Ck} such that ∀Fe, Prk[Fe ∈ Fk] ≤ ε. Cipher c = Ck1(x|0) ⊕ k2 = Fk2Ck1(x|0). Quantum Message: ρ ∈ L(C2m). One-time pad: x, z ∈ {0, 1}m, σ = Px,zρPx,z. Code Uk with σ = Uk (ρ ⊗ |0 0|) U†

k.

Px,z ∈ Fk if code Uk fails to detect error Px,z. Family U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε. Cipher σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Dictionary

Classical Message: x ∈ {0, 1}m. One-time pad: k ∈ {0, 1}m, c = x ⊕ k = Fkm. Code Ck with y = Ck(x|0). Fe ∈ Fk if code Ck fails to detect error Fe. Family C = {Ck} such that ∀Fe, Prk[Fe ∈ Fk] ≤ ε. Cipher c = Ck1(x|0) ⊕ k2 = Fk2Ck1(x|0). Quantum Message: ρ ∈ L(C2m). One-time pad: x, z ∈ {0, 1}m, σ = Px,zρPx,z. Code Uk with σ = Uk (ρ ⊗ |0 0|) U†

k.

Px,z ∈ Fk if code Uk fails to detect error Px,z. Family U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε. Cipher σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Dictionary

Classical Message: x ∈ {0, 1}m. One-time pad: k ∈ {0, 1}m, c = x ⊕ k = Fkm. Code Ck with y = Ck(x|0). Fe ∈ Fk if code Ck fails to detect error Fe. Family C = {Ck} such that ∀Fe, Prk[Fe ∈ Fk] ≤ ε. Cipher c = Ck1(x|0) ⊕ k2 = Fk2Ck1(x|0). Quantum Message: ρ ∈ L(C2m). One-time pad: x, z ∈ {0, 1}m, σ = Px,zρPx,z. Code Uk with σ = Uk (ρ ⊗ |0 0|) U†

k.

Px,z ∈ Fk if code Uk fails to detect error Px,z. Family U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε. Cipher σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Dictionary

Classical Message: x ∈ {0, 1}m. One-time pad: k ∈ {0, 1}m, c = x ⊕ k = Fkm. Code Ck with y = Ck(x|0). Fe ∈ Fk if code Ck fails to detect error Fe. Family C = {Ck} such that ∀Fe, Prk[Fe ∈ Fk] ≤ ε. Cipher c = Ck1(x|0) ⊕ k2 = Fk2Ck1(x|0). Quantum Message: ρ ∈ L(C2m). One-time pad: x, z ∈ {0, 1}m, σ = Px,zρPx,z. Code Uk with σ = Uk (ρ ⊗ |0 0|) U†

k.

Px,z ∈ Fk if code Uk fails to detect error Px,z. Family U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε. Cipher σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Dictionary

Classical Message: x ∈ {0, 1}m. One-time pad: k ∈ {0, 1}m, c = x ⊕ k = Fkm. Code Ck with y = Ck(x|0). Fe ∈ Fk if code Ck fails to detect error Fe. Family C = {Ck} such that ∀Fe, Prk[Fe ∈ Fk] ≤ ε. Cipher c = Ck1(x|0) ⊕ k2 = Fk2Ck1(x|0). Quantum Message: ρ ∈ L(C2m). One-time pad: x, z ∈ {0, 1}m, σ = Px,zρPx,z. Code Uk with σ = Uk (ρ ⊗ |0 0|) U†

k.

Px,z ∈ Fk if code Uk fails to detect error Px,z. Family U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε. Cipher σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Dictionary

Classical Message: x ∈ {0, 1}m. One-time pad: k ∈ {0, 1}m, c = x ⊕ k = Fkm. Code Ck with y = Ck(x|0). Fe ∈ Fk if code Ck fails to detect error Fe. Family C = {Ck} such that ∀Fe, Prk[Fe ∈ Fk] ≤ ε. Cipher c = Ck1(x|0) ⊕ k2 = Fk2Ck1(x|0). Quantum Message: ρ ∈ L(C2m). One-time pad: x, z ∈ {0, 1}m, σ = Px,zρPx,z. Code Uk with σ = Uk (ρ ⊗ |0 0|) U†

k.

Px,z ∈ Fk if code Uk fails to detect error Px,z. Family U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε. Cipher σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Main result

Secret key K Authentic ch. A b

b 0, 1

Insecure ch. R πq-auth

A

πq-auth

B

ρ ρ′, ⊥ k, k1, ⊥ k, k1 k k σ σ′

Secret key K′

key

k, k1, ⊥ k, k1

0, 1

0, 1

Secure ch. S

ρ ρ, ⊥ |ρ| 0, 1

Encrypt: σ = Pk2Uk1 (ρ ⊗ |0 0|) U†

k1Pk2,

Decrypt: ρ′ ⊗ |s s| = MsU†

k1Pk2σ′Pk2Uk1Ms.

If s = 0, output ρ′ and recycle k1, k2, otherwise output ⊥ and recycle k1.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Main result

Secret key K Authentic ch. A b

b 0, 1

Insecure ch. R πq-auth

A

πq-auth

B

ρ ρ′, ⊥ k, k1, ⊥ k, k1 k k σ σ′

Secret key K′

key

σq-auth

E

k, k1, ⊥ k, k1

0, 1 Secure ch. S

ρ ρ, ⊥ |ρ| 0, 1 b σ σ′ 0, 1

Theorem If U = {Uk1} is such that ∀Px,z, Prk1[Px,z ∈ Fk1] ≤ ε, then KAR

πq-auth,δ

− − − − − → K′S, with δ ≤ √ε + ε

2.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Parameters

[BCG+02] instantiation Message length: m qubits. Length of k1: n bits. Error of code: ε = 2m/n+2

2n

. Syndrome length: n qubits. Length of k2: 2m + n bits. Error of construction: δ ≤

• 2m/n+2

2n

+ m/n+1

2n

. Unitary 2-design Message length: m qubits. Length of k1: 3m + 3n bits. Error of code: ε = 1

2n .

Syndrome length: n qubits. Length of k2: 2m + n bits. Error of construction: δ ≤

1 2n/2 + 1 2n+1 .

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Weak purity testing codes

Current work requires a family of (strong purity testing) codes U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε Original [BCG+02] requirement: a family of (weak purity testing) U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk \ Gk] ≤ ε, where Gk are Pauli errors that do not change the message. This only guarantees that the message is not changed, not that the cipher is not changed! Specific attack: Eve picks a Pe that is in Gk for half the codes, and not in Gk for the other half. → learning if the message got accepted leaks a bit of information about the code chosen.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Weak purity testing codes

Current work requires a family of (strong purity testing) codes U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε Original [BCG+02] requirement: a family of (weak purity testing) U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk \ Gk] ≤ ε, where Gk are Pauli errors that do not change the message. This only guarantees that the message is not changed, not that the cipher is not changed! Specific attack: Eve picks a Pe that is in Gk for half the codes, and not in Gk for the other half. → learning if the message got accepted leaks a bit of information about the code chosen.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Weak purity testing codes

Current work requires a family of (strong purity testing) codes U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε Original [BCG+02] requirement: a family of (weak purity testing) U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk \ Gk] ≤ ε, where Gk are Pauli errors that do not change the message. This only guarantees that the message is not changed, not that the cipher is not changed! Specific attack: Eve picks a Pe that is in Gk for half the codes, and not in Gk for the other half. → learning if the message got accepted leaks a bit of information about the code chosen.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Weak purity testing codes

Current work requires a family of (strong purity testing) codes U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk] ≤ ε Original [BCG+02] requirement: a family of (weak purity testing) U = {Uk} such that ∀Px,z, Prk[Px,z ∈ Fk \ Gk] ≤ ε, where Gk are Pauli errors that do not change the message. This only guarantees that the message is not changed, not that the cipher is not changed! Specific attack: Eve picks a Pe that is in Gk for half the codes, and not in Gk for the other half. → learning if the message got accepted leaks a bit of information about the code chosen.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Other Q-MACs

Signed polynomial code [Ben-Or, Crépeau, Gottesman, Hassidim, Smith, 2006]: same structure as [BCG+02], but with codes on qudits, − → key recycling most likely that same as on qubits. Clifford code [Aharonov, Ben-Or, Eban, 2010]: instantiation

• f [BCG+02] with strong purity testing code,

− → key recycling follows from this work. Trap code [Broadbent, Gutoski, Stebila, 2013]: instantiation

• f [BCG+02] with weak purity testing code,

− → key recycling properties unknown. Auth-QFT-Auth [Garg, Yuen, Zhandry, 2016], − → partial key recycling proven in [GYZ16].

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Thank you!

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Noisy channel

Noisy channel

σ σ′

Problem: if Alice share a (natural) noisy channel instead of an insecure one, we want the message to be accepted. Solution: use a quantum error correcting code for this noise.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Noisy channel

Noisy channel πecc

A

πecc

B

ρ ρ σ σ′

Noiseless channel

ρ ρ

Problem: if Alice share a (natural) noisy channel instead of an insecure one, we want the message to be accepted. Solution: use a quantum error correcting code for this noise.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Key for the backwards authentic channel

Problem: constructing the backwards authentic channel requires key, which cannot be completely recycled. Solution 1: use the constructed secure channel to send secret key. Solution 2: alternate messages from Alice to Bob and Bob to Alice, and skip this channel all together.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Key for the backwards authentic channel

Secure ch. S πkey

A

πkey

B

ρ ρ k k ρ ⊗ |k k|

Secret key K Secure ch. S

ρ ρ k k

Problem: constructing the backwards authentic channel requires key, which cannot be completely recycled. Solution 1: use the constructed secure channel to send secret key. Solution 2: alternate messages from Alice to Bob and Bob to Alice, and skip this channel all together.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Key for the backwards authentic channel

Secure ch. S πkey

A

πkey

B

ρ ρ k k ρ ⊗ |k k|

Secret key K Secure ch. S

ρ ρ k k

Problem: constructing the backwards authentic channel requires key, which cannot be completely recycled. Solution 1: use the constructed secure channel to send secret key. Solution 2: alternate messages from Alice to Bob and Bob to Alice, and skip this channel all together.

• C. Portmann

Quantum Authentication with Key Recycling

Introduction Classical secure channel Quantum secure channel Constructing the channel Open questions

Putting it together

Secret key Kq-auth Secret key Kauth Insecure ch. ← − R ← − π ecc

A

← − π ecc

B

Insecure ch. − → R − → π ecc

A

− → π ecc

B

πauth

A

πauth

B

πq-auth

A

πq-auth

B

πkey

A

πkey

B

Composed protocol πA Composed protocol πB

k ρ k ρ

• C. Portmann

Quantum Authentication with Key Recycling