unforgeable quantum encryption
play

Unforgeable quantum encryption Christian Majenz Joint work with - PowerPoint PPT Presentation

Jun 05, 2023 •214 likes •893 views

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

  1. Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

  6. Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 )

  7. Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 )

  8. Taxonomy of security

  9. Taxonomy of security secrecy

  10. Taxonomy of security authenticity, secrecy Integrity

  11. Taxonomy of security authenticity, secrecy Integrity Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA)

  12. Taxonomy of security authenticity, secrecy Integrity Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA)

  13. Taxonomy of security authenticity, secrecy Integrity Indistinguishability of ciphertexts under adaptive chosen ciphertext attacks (IND-CCA2) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA)

  14. Taxonomy of security authenticity, secrecy Integrity Integrity of ciphertexts Indistinguishability of ciphertexts (INT-CTXT) under adaptive chosen ciphertext attacks ( EUF-CMA for encryption ≈ (IND-CCA2) schemes) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA)

  15. Taxonomy of security Authenticated encryption authenticity, secrecy Integrity Definition Integrity of ciphertexts Indistinguishability of ciphertexts (INT-CTXT) under adaptive chosen ciphertext attacks ( EUF-CMA for encryption ≈ (IND-CCA2) schemes) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA)

  16. Taxonomy of security Authenticated encryption authenticity, secrecy Integrity Integrity of ciphertexts Indistinguishability of ciphertexts (INT-CTXT) under adaptive chosen ciphertext attacks ( EUF-CMA for encryption ≈ (IND-CCA2) schemes) Indistinguishability of ciphertexts Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks under chosen ciphertext attacks (IND-CCA1) (IND-CCA1) Broadbent and Je ff ery, Crypto 2015 Alagic et al., ICITS 2016 Indistinguishability of ciphertexts Indistinguishability of ciphertexts under chosen plaintext attacks under chosen plaintext attacks (IND-CPA) (IND-CPA)

  17. Taxonomy of security Authenticated encryption authenticity, secrecy Integrity No quantum version!!! Why not, what is the di ffi culty? Integrity of ciphertexts Indistinguishability of ciphertexts (INT-CTXT) under adaptive chosen ciphertext attacks ( EUF-CMA for encryption ≈ (IND-CCA2) schemes) Indistinguishability of ciphertexts Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks under chosen ciphertext attacks (IND-CCA1) (IND-CCA1) Broadbent and Je ff ery, Crypto 2015 Alagic et al., ICITS 2016 Indistinguishability of ciphertexts Indistinguishability of ciphertexts under chosen plaintext attacks under chosen plaintext attacks (IND-CPA) (IND-CPA)

  18. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists:

  19. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k

  20. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 m 1

  21. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 m 1 m 2

  22. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 c q m 1 m 2 m q …

  23. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 c q m 1 m 2 m q … c *

  24. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 c q Success: i ) c * ≠ c i for all i = 1,..., q m 1 m 2 m q … ii ) Dec k ( c *) ≠ ⊥ c *

  25. Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 c q Success: i ) c * ≠ c i for all i = 1,..., q m 1 m 2 m q … ii ) Dec k ( c *) ≠ ⊥ c * What about encryption of quantum data?

  26. Quantum i (attempt) Integrity of ciphertexts An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 c q Success: i ) c * ≠ c i for all i = 1,..., q m 1 m 2 m q … ii ) Dec k ( c *) ≠ ⊥ c * What about encryption of quantum data?

  27. Quantum i (attempt) Integrity of ciphertexts Quantum An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k c 1 c 2 c q Success: i ) c * ≠ c i for all i = 1,..., q m 1 m 2 m q … ii ) Dec k ( c *) ≠ ⊥ c * What about encryption of quantum data?

  28. Quantum i (attempt) Integrity of ciphertexts Quantum An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k Enc k | c q ⟩ | c 1 ⟩ | c 2 ⟩ Success: i ) c * ≠ c i for all i = 1,..., q … | m q ⟩ | m 1 ⟩ | m 2 ⟩ ii ) Dec k ( c *) ≠ ⊥ c * What about encryption of quantum data?

  29. Quantum i (attempt) Integrity of ciphertexts Quantum An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k Enc k | c q ⟩ | c 1 ⟩ | c 2 ⟩ Success: i ) c * ≠ c i for all i = 1,..., q … | m q ⟩ | m 1 ⟩ | m 2 ⟩ ii ) Dec k ( c *) ≠ ⊥ | c * ⟩ What about encryption of quantum data?

  30. Quantum i (attempt) Integrity of ciphertexts Quantum An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k Enc k | c q ⟩ | c 1 ⟩ | c 2 ⟩ Success: ???????????? i ) … | m q ⟩ | m 1 ⟩ | m 2 ⟩ ii ) Dec k ( | c * ⟩ ) ≠ | ⊥ ⟩ | c * ⟩ What about encryption of quantum data?

  31. Quantum i (attempt) Integrity of ciphertexts Quantum An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k Enc k | c q ⟩ | c 1 ⟩ | c 2 ⟩ Success: ???????????? i ) … | m q ⟩ | m 1 ⟩ | m 2 ⟩ ii ) Dec k ( | c * ⟩ ) ≠ | ⊥ ⟩ | c * ⟩ What about encryption of quantum data? Unsurmountable problems arise: • no-cloning: can’t copy for later comparison with . | c i ⟩ | c * ⟩ • destructive nature of quantumn measurement: even assuming we had coexisting copies of and , can’t compare them without destroying . | c i ⟩ | c * ⟩ | c * ⟩

  32. Quantum i (attempt) Integrity of ciphertexts Quantum An encryption scheme has integrity of ciphertexts, if no successfull (KeyGen, Enc, Dec) ciphertext-forging adversary exists: Enc k Enc k | c q ⟩ | c 1 ⟩ | c 2 ⟩ Success: ???????????? i ) … | m q ⟩ | m 1 ⟩ | m 2 ⟩ ii ) Dec k ( | c * ⟩ ) ≠ | ⊥ ⟩ | c * ⟩ What about encryption of quantum data? Unsurmountable problems arise: • no-cloning: can’t copy for later comparison with . | c i ⟩ | c * ⟩ • destructive nature of quantumn measurement: even assuming we had coexisting copies of and , can’t compare them without destroying . | c i ⟩ | c * ⟩ | c * ⟩ IND-CCA2: Adversary gets decryption oracle after the challenge phase, but can’t decrypt the challenge. Similar problem ⟹

  33. Quantum (plaintext) unforgeability — Setup Quantum (plaintext) unforgeability For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum Enc k c 1 c 2 c q Success: i ) m * := Dec k ( c *) ≠ m i for all i = 1,..., q m 1 m 2 m q … ii ) Dec k ( c *) ≠ ⊥ c *

  34. Quantum (plaintext) unforgeability — Setup Quantum (plaintext) unforgeability For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum Enc k Enc k | c q ⟩ | c 1 ⟩ | c 2 ⟩ Success: ???????????? i ) … | m q ⟩ | m 1 ⟩ | m 2 ⟩ ii ) Dec k ( | c * ⟩ ) ≠ | ⊥ ⟩ | c * ⟩

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Unforgeable Quantum Encryption Gorjan Alagic 1 Tommaso Gagliardoni 2 Christian Majenz 3 1 QuICS,

Unforgeable Quantum Encryption Gorjan Alagic 1 Tommaso Gagliardoni 2 Christian Majenz 3 1 QuICS,

Unforgeable Quantum Encryption Gorjan Alagic 1 Tommaso Gagliardoni 2 Christian Majenz 3 1 QuICS, University of Maryland, and NIST, USA 2 IBM Research Zurich, Switzerland 3 University of Amsterdam, and QuSoft, CWI, The Netherlands May 3rd, 2018 Tel

1.28k views • 95 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if P = NP Safely & Feasibly Serge Fehr Louis Salvail CWI Amsterdam University of Montral Encryption & Authentication Schemes with

829 views • 62 slides
How about quantum computing? Bert de Jong wadejong@lbl.gov - 1 - What makes quantum computing

How about quantum computing? Bert de Jong wadejong@lbl.gov - 1 - What makes quantum computing

How about quantum computing? Bert de Jong wadejong@lbl.gov - 1 - What makes quantum computing so exciting? Speedups over classical computing Unbreakable encryption protocols Quantum simulation Efficient optimization

961 views • 47 slides
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 ,

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 ,

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 , Raymond K. H. Tai 2 , Harry W. H. Wong 2 , Sherman S. M. Chow 2 1 Friedrich-Alexander University Erlangen-Nuremberg 2 Chinese University of Hong Kong

618 views • 59 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we cant prove a scheme secure in the standard model. Instead, model a hash function as a

509 views • 38 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
PERSISTENT AND UNFORGEABLE WATERMARKS FOR DEEP NEURAL NETWORKS Huiying Li, Emily Willson, Heather

PERSISTENT AND UNFORGEABLE WATERMARKS FOR DEEP NEURAL NETWORKS Huiying Li, Emily Willson, Heather

DNNS ARE INCREASINGLY POPULAR PERSISTENT AND UNFORGEABLE WATERMARKS FOR DEEP NEURAL NETWORKS Huiying Li, Emily Willson, Heather Zheng, Ben Y. Zhao Hey Siri Oct 30, 2019 1 2 DEEP NEURAL NETWORK (DNN) DNNS ARE HARD TO TRAIN A machine

115 views • 9 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Cryptanalysis of EAX Prime Kazuhiko Minematsu, NEC Corporation Stefan Lucks, Bauhaus

Cryptanalysis of EAX Prime Kazuhiko Minematsu, NEC Corporation Stefan Lucks, Bauhaus

Cryptanalysis of EAX Prime Kazuhiko Minematsu, NEC Corporation Stefan Lucks, Bauhaus Universitt Weimar Hiraku Morita, Nagoya University Tetsu Iwata, Nagoya University DIAC, Directions in Authenticated Ciphers July 5 6, 2012,

336 views • 22 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides
SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic

SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic

Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1 / 116 2 / 116 Correct decryption requirement Example:

430 views • 29 slides
Classical Cryptography Chester Rebeiro IIT Madras CR STINSON : chapter 1 Ciphers Symmetric

Classical Cryptography Chester Rebeiro IIT Madras CR STINSON : chapter 1 Ciphers Symmetric

Classical Cryptography Chester Rebeiro IIT Madras CR STINSON : chapter 1 Ciphers Symmetric Algorithms Encryption and Decryption use the same key i.e. K E = K D Examples: Block Ciphers : DES, AES, PRESENT, etc. Stream

534 views • 40 slides
T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2 1 2.1 Classical Cryptosystems Ceasar Cipher, or Shift Cipher

555 views • 21 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides

More recommend