quantum secure message authentication via blind
play

Quantum secure message authentication via blind-unforgeability - PowerPoint PPT Presentation

Jan 12, 2024 •603 likes •1.3k views

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob

  1. Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China

  2. Message authentication Alice Bob m

  3. Message authentication Alice Bob m m ′ � … the m m ′ � Internet is a scary place…

  4. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Alice Bob m m ′ � … the m m ′ � Internet is a scary place… acc/rej?

  5. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac )

  6. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k

  7. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m k k Mac 𝑢

  8. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac a scary place… 𝑢 𝑢 ′ �

  9. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej

  10. Message authentication Problem: how can Bob check if a message came from Alice and is unchanged? Solution: message authentication code (MAC) (some efficient function Mac ) Alice Bob m m ′ � k k … the m m ′ � 𝑢 𝑢 ′ � Internet is Mac Mac a scary place… ? = 𝑢 𝑢 ′ � acc/rej Note: Bob is only checking consistency with the function .

  11. Message authentication What properties should a MAC satisfy to be secure?

  12. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

  13. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 ))

  14. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � ))

  15. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh)

  16. Message authentication What properties should a MAC satisfy to be secure? What are we worried about? Forgeries! • plain forgery: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) • “malleability” attacks: ( 𝑛 , 𝐍𝐛𝐝 𝑙 ( 𝑛 )) ( 𝑛 ′ � , 𝐍𝐛𝐝 𝑙 ( 𝑛 ′ � )) • using an oracle to produce a fresh forgery (most general attack): 𝐍𝐛𝐝 𝑙 (fresh) Key property: unpredictability of . 𝐍𝐛𝐝 𝑙

  17. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists:

  18. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙

  19. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 m 1

  20. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 m 1 m 2

  21. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q …

  22. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q m 1 m 2 m q … ( m *, t *)

  23. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *)

  24. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA

  25. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙

  26. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))

  27. Classical security: Unforgeability A message authentication code is secure, if no successful forger exists: 𝐍𝐛𝐝 𝑙 t 1 Success: t 2 t q i ) m * ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Mac k ( m *) = t * ( m *, t *) “Existential unforgeability under chosen message attacks”, EUF-CMA W hat if the adversary has quantum oracle access to ? 𝐍𝐛𝐝 𝑙 Example: ∑ ∑ i) Query to obtain m 1 = | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) EUF-CMA doesn’t make sense anymore…

  28. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor?

  29. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m ))

  30. Quantum What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: ∑ ∑ i) Query to obtain | m ⟩ | 0 ⟩ | m ⟩ | Mac k ( m ) ⟩ m 1 = m ∈ {0,1} n m ∈ {0,1} n ii) Measure in the computational basis to obtain for random m ( m , Mac k ( m )) iii) Output ( m , Mac k ( m )) A good predictor: key specifies a random periodic function with period p k f k k , and Mac k ( x ) = f k ( x ) ∀ x ≠ p k Mac k ( p k ) = 0 i) run period finding to find p k ii) output ( p k ,0)

  31. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1

  32. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )

  33. Boneh Zhandry unforgeability A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries! q q + 1 Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 i ∀ i = 1,..., q + 1 t q Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Has some nice properties: • Equivalent to EUF-CMA for classical oracle • A random function is BZ-unforgeable (BZ ’13)

  34. The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 )

  35. The right definition? Success: 𝐍𝐛𝐝 𝑙 t 1 t 2 t q i ∀ i = 1,..., q +1 Mac k ( m * i ) = t * m 1 m 2 m q … ( m * 1 , t * 1 ), ( m * 2 , t * 2 ), . . . , ( m * q +1 , t * q +1 ) Is this really right? What does your quantum intuition tell you? What if… • adversary has to fully measure many queries to generate one forgery? (no-cloning)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum-secure message authentication via blind-unforgeability Gorjan Alagic, Christian Majenz,

Quantum-secure message authentication via blind-unforgeability Gorjan Alagic, Christian Majenz,

Quantum-secure message authentication via blind-unforgeability Gorjan Alagic, Christian Majenz, Alexander Russell and Fang Song Eurocrypt 2020, in Cyberspace Introduction Integrity and authenticity Integrity and authenticity It says X

785 views • 63 slides
Quantum-Secure Message Authentication Codes Dan Boneh and Mark

Quantum-Secure Message Authentication Codes Dan Boneh and Mark

Quantum-Secure Message Authentication Codes Dan Boneh and Mark Zhandry Stanford University 1/19 Classical Chosen Message Attack (CMA) m i i = S ( k, m i )

658 views • 19 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE Approaches to Message Authentication Secure Hash Functions (SHA) and Keyed- Hash Message Authentication Code (HMAC) Public-Key Cryptography

458 views • 29 slides
THE RANK METHOD AND APPLICATIONS TO QUANTUM LOWER BOUNDS Mark Zhandry Joint work with Dan Boneh

THE RANK METHOD AND APPLICATIONS TO QUANTUM LOWER BOUNDS Mark Zhandry Joint work with Dan Boneh

THE RANK METHOD AND APPLICATIONS TO QUANTUM LOWER BOUNDS Mark Zhandry Joint work with Dan Boneh This Talk Highlight technique from very recent paper: Quantum-Secure Message Authentication Codes Specifically: Quantum Oracle Interrogation

734 views • 25 slides
Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

512 views • 48 slides
References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar & Pelzl Jim Royer Message

224 views • 3 slides
Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich,

Introduction Classical secure channel Quantum secure channel Quantum Authentication with Key Recycling Christopher Portmann Dept. Physics, ETH Zurich, Switzerland Dept. of Computer Science, ETH Zurich, Switzerland EUROCRYPT 2017, Paris, 4 May

717 views • 54 slides
Message authentication and digital signatures " Message authentication verify that the

Message authentication and digital signatures " Message authentication verify that the

Message authentication and digital signatures " Message authentication verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non ! repudiation " Two

439 views • 23 slides
Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming identity of

982 views • 46 slides
ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1 Kazuhiko Minematsu 2 Thomas Peyrin 3 Yannick Seurin 4 1 Nagoya University (Japan) and 2 NEC (Japan) 3 NTU (Singapore) and 4 ANSSI (France)

378 views • 35 slides
Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication Trusted Intermediaries Secure email pretty good privacy (PGP) 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key

427 views • 13 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
John S. Otto, Mario A. Sanchez, David R. Choffnes*, Fabin E. Bustamante, Georgos Siganos**

John S. Otto, Mario A. Sanchez, David R. Choffnes*, Fabin E. Bustamante, Georgos Siganos**

John S. Otto, Mario A. Sanchez, David R. Choffnes*, Fabin E. Bustamante, Georgos Siganos** Northwestern, EECS * U. Wash, CSE ** Telefnica Research http://aqualab.cs.northwestern.edu 2 Otto, Snchez, Choffnes, Bustamante & Siganos On

655 views • 26 slides
On Completeness of Feature Spaces in Blind Steganalysis Jan Kodovsk y Jessica Fridrich

On Completeness of Feature Spaces in Blind Steganalysis Jan Kodovsk y Jessica Fridrich

Introduction Feature Correction Method (FCM) Experimental results On Completeness of Feature Spaces in Blind Steganalysis Jan Kodovsk y Jessica Fridrich September 23 / MM&SEC 2008 Kodovsk y, Fridrich On Completeness of Feature

575 views • 19 slides
BSPL, the Blindingly Simple Protocol Language Munindar P . Singh North Carolina State University

BSPL, the Blindingly Simple Protocol Language Munindar P . Singh North Carolina State University

BSPL, the Blindingly Simple Protocol Language Munindar P . Singh North Carolina State University April 2011 singh@ncsu.edu (NCSU) Blindingly Simple Protocol Language April 2011 1 / 34 Interactions and Protocols All actions are interactions

385 views • 34 slides
Verification in Blaise 4.82 Mark M Pierzchala Sharing your passion for accurate, efficient

Verification in Blaise 4.82 Mark M Pierzchala Sharing your passion for accurate, efficient

Verification in Blaise 4.82 Mark M Pierzchala Sharing your passion for accurate, efficient surveys Blaise verification is important for: Paper surveys or dumb electronic collection Paper / CATI CAPI Paper / Web Paper /

736 views • 12 slides
Presenter Disclosure Presenters: Jane Derbyshire RN Interim Executive Director Heather Aben

Presenter Disclosure Presenters: Jane Derbyshire RN Interim Executive Director Heather Aben

AFHTO 2017 Conference Presenter Disclosure Presenters: Jane Derbyshire RN Interim Executive Director Heather Aben RN Discharge Patient Program Relationships with commercial interests: Grants/Research Support: None to disclose

665 views • 63 slides
Company Presentation 10 September 2020 ATOMO DIAGNOSTICS LIMITED | (ASX: AT1) DISCLAIMER This

Company Presentation 10 September 2020 ATOMO DIAGNOSTICS LIMITED | (ASX: AT1) DISCLAIMER This

This announcement was authorised by John Kelly, Managing Director Atomo Diagnostics Limited 701 703 Parramatta Road Leichhardt NSW 2040 Australia Company Presentation 10 September 2020 ATOMO DIAGNOSTICS LIMITED | (ASX: AT1) DISCLAIMER

192 views • 16 slides
Tutorial: atomistic simulations for irradiation effects. Kai Nordlund Professor, Department of

Tutorial: atomistic simulations for irradiation effects. Kai Nordlund Professor, Department of

Tutorial: atomistic simulations for irradiation effects. Kai Nordlund Professor, Department of Physics Adjoint Professor, Helsinki Institute of Physics University of Helsinki, Finland UNIVERSITY OF HELSINKI KUMPULA CAMPUS -- 1000 STAFF

1.35k views • 106 slides
Objectives Challenges commonly encountered by people with disabilities in clinical care

Objectives Challenges commonly encountered by people with disabilities in clinical care

Optimizing Care of Patients with Disabilities - Visual Impairment - Mobility Impairment Nathaniel Gleason, MD Assistant Clinical Professor of Medicine Division of General Internal Medicine Objectives Challenges commonly encountered by

304 views • 19 slides

More recommend