Unforgeable quantum encryption Christian Majenz Joint work with - - PowerPoint PPT Presentation

Unforgeable quantum encryption

Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2)

Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2)

Taxonomy of security

secrecy

Taxonomy of security

secrecy authenticity, Integrity

Taxonomy of security

secrecy authenticity, Integrity

Taxonomy of security

Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA)

secrecy authenticity, Integrity

Taxonomy of security

Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication

secrecy authenticity, Integrity

Taxonomy of security

Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under adaptive chosen ciphertext attacks (IND-CCA2) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication

secrecy authenticity, Integrity

Taxonomy of security

Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under adaptive chosen ciphertext attacks (IND-CCA2) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication Integrity of ciphertexts (INT-CTXT) ( EUF-CMA for encryption schemes)

≈

secrecy authenticity, Integrity

Taxonomy of security

Authenticated encryption

Definition

Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under adaptive chosen ciphertext attacks (IND-CCA2) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1) = implication Integrity of ciphertexts (INT-CTXT) ( EUF-CMA for encryption schemes)

≈

secrecy authenticity, Integrity

Taxonomy of security

Authenticated encryption Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under adaptive chosen ciphertext attacks (IND-CCA2) Indistinguishability of ciphertexts under chosen ciphertext attacks (IND-CCA1) Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1)

Broadbent and Jeffery, Crypto 2015 Alagic et al., ICITS 2016

Integrity of ciphertexts (INT-CTXT) ( EUF-CMA for encryption schemes)

≈

secrecy authenticity, Integrity

Taxonomy of security

Authenticated encryption Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under adaptive chosen ciphertext attacks (IND-CCA2) Indistinguishability of ciphertexts under chosen ciphertext attacks (IND-CCA1) No quantum version!!! Why not, what is the difficulty? Indistinguishability of ciphertexts under chosen plaintext attacks (IND-CPA) Indistinguishability of ciphertexts under nonadaptive chosen ciphertext attacks (IND-CCA1)

Broadbent and Jeffery, Crypto 2015 Alagic et al., ICITS 2016

Integrity of ciphertexts (INT-CTXT) ( EUF-CMA for encryption schemes)

≈

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) m1 c1 Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) m1 c1 m2 c2 Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) m1 c1 m2 c2 … mq cq Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) m1 c1 m2 c2 … mq cq c* Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) m1 c1 m2 c2 … mq cq c* Success: i) c* ≠ ci for all i = 1,...,q ii) Deck(c*) ≠ ⊥ Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec) m1 c1 m2 c2 … mq cq c* Success: i) c* ≠ ci for all i = 1,...,q ii) Deck(c*) ≠ ⊥ Enck

What about encryption of quantum data?

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

Success: i) c* ≠ ci for all i = 1,...,q ii) Deck(c*) ≠ ⊥ m1 c1 m2 c2 … mq cq c* Enck

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

Success: i) c* ≠ ci for all i = 1,...,q ii) Deck(c*) ≠ ⊥ m1 c1 m2 c2 … mq cq c* Enck

Quantum

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

|m1⟩ |c1⟩ |m2⟩ |c2⟩ … |mq⟩ |cq⟩ Enck c* Success: i) c* ≠ ci for all i = 1,...,q ii) Deck(c*) ≠ ⊥ Enck

Quantum

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

|m1⟩ |c1⟩ |m2⟩ |c2⟩ … |mq⟩ |cq⟩ Enck |c*⟩ Success: i) c* ≠ ci for all i = 1,...,q ii) Deck(c*) ≠ ⊥ Enck

Quantum

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

|m1⟩ |c1⟩ |m2⟩ |c2⟩ … |mq⟩ |cq⟩ Success: i) ii) Deck(|c*⟩) ≠ | ⊥ ⟩ ???????????? Enck |c*⟩ Enck

Quantum

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

|m1⟩ |c1⟩ |m2⟩ |c2⟩ … |mq⟩ |cq⟩ Success: i) ii) Deck(|c*⟩) ≠ | ⊥ ⟩ ???????????? Enck |c*⟩ Enck

Unsurmountable problems arise:

• no-cloning: can’t copy for later comparison with .
• destructive nature of quantumn measurement: even assuming we had coexisting

copies of and , can’t compare them without destroying .

|ci⟩ |c*⟩ |ci⟩ |c*⟩ |c*⟩

Quantum

Integrity of ciphertexts

An encryption scheme has integrity of ciphertexts, if no successfull ciphertext-forging adversary exists:

(KeyGen, Enc, Dec)

What about encryption of quantum data?

Quantum i (attempt)

|m1⟩ |c1⟩ |m2⟩ |c2⟩ … |mq⟩ |cq⟩ Success: i) ii) Deck(|c*⟩) ≠ | ⊥ ⟩ ???????????? Enck |c*⟩ Enck

Unsurmountable problems arise:

• no-cloning: can’t copy for later comparison with .
• destructive nature of quantumn measurement: even assuming we had coexisting

copies of and , can’t compare them without destroying .

|ci⟩ |c*⟩ |ci⟩ |c*⟩ |c*⟩

Quantum

IND-CCA2: Adversary gets decryption oracle after the challenge phase, but can’t decrypt the

• challenge. Similar problem

⟹

Quantum (plaintext) unforgeability

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

m1 c1 m2 c2 … mq cq c* Success: i) m* := Deck(c*) ≠ mi for all i = 1,...,q ii) Deck(c*) ≠ ⊥ Enck

Quantum (plaintext) unforgeability — Setup

Quantum (plaintext) unforgeability

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

|m1⟩ |c1⟩ |m2⟩ |c2⟩ … |mq⟩ |cq⟩ Success: i) ii) Deck(|c*⟩) ≠ | ⊥ ⟩ ???????????? Enck |c*⟩ Enck

Quantum (plaintext) unforgeability — Setup

Quantum (plaintext) unforgeability — Setup

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

M1 C1 M2 C2 … Mq Cq Success: i) ii) M* ≠ | ⊥ ⟩ ???????????? Enck C* Enck M* Deck

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

Quantum (plaintext) unforgeability — Setup

Mi M* Success: i) ii) M* ≠ | ⊥ ⟩ ???????????? M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

Problem: and don’t coexist. Ideas

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

Quantum (plaintext) unforgeability — Setup

Mi M*

• look at the channels with input and output .

Mi M* Success: i) ii) M* ≠ | ⊥ ⟩ ???????????? M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

Problem: and don’t coexist. Ideas

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

Quantum (plaintext) unforgeability — Setup

Mi M*

• look at the channels with input and output .

Mi M* Success: i) ii) M* ≠ | ⊥ ⟩ ???????????? M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

Problem: and don’t coexist. Ideas

• compare two games, one testing whether any of these channels is the identity, one

testing validity of output

For simplicity of exposition, let’s try to generalize plaintext unforgeability to quantum

Quantum (plaintext) unforgeability — Setup

Mi M*

• look at the channels with input and output .

Mi M* Success: i) ii) M* ≠ | ⊥ ⟩ ???????????? M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

Problem: and don’t coexist. Ideas

• compare two games, one testing whether any of these channels is the identity, one

testing validity of output

• efficiency needed for reduction proofs

Identity test

How do we test whether a quantum channel is the identity?

Identity test

How do we test whether a quantum channel is the identity?

|ϕ+⟩ Λ

|ϕ+⟩ ⟨ϕ+| 𝕁 − |ϕ+⟩ ⟨ϕ+|

• r

?

• ne efficient solution (Broadbent & Waynewright ICITS 2016):

Identity test

How do we test whether a quantum channel is the identity? inner product in the Choi-Jamiołkowski picture

|ϕ+⟩ Λ

|ϕ+⟩ ⟨ϕ+| 𝕁 − |ϕ+⟩ ⟨ϕ+|

• r

?

• ne efficient solution (Broadbent & Waynewright ICITS 2016):

Identity test

How do we test whether a quantum channel is the identity? inner product in the Choi-Jamiołkowski picture

|ϕ+⟩ Λ

|ϕ+⟩ ⟨ϕ+| 𝕁 − |ϕ+⟩ ⟨ϕ+|

• r

?

• ne efficient solution (Broadbent & Waynewright ICITS 2016):
• ther identity tests possible that don’t need entanglement….

Identity test

How do we test whether a quantum channel is the identity? inner product in the Choi-Jamiołkowski picture

|ϕ+⟩ Λ

|ϕ+⟩ ⟨ϕ+| 𝕁 − |ϕ+⟩ ⟨ϕ+|

• r

?

• ne efficient solution (Broadbent & Waynewright ICITS 2016):
• ther identity tests possible that don’t need entanglement….

Let be the identity test from register to register .

IdR1R2 R1 R2

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

QUF-Test game

Enck M1

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

QUF-Test game

Enck M1

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck M* Deck

QUF-Test game

Enck M1

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck C1 M′

1

M* Deck

QUF-Test game

Enck M1

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck C1 M′

1

M* Deck C* M2 C2 M′

2

Mq Cq M′

q

… M* Deck

QUF-Test game

Enck M1

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck C1 M′

1

Run For all . (Ok by gentle measurement lemma)

IdM′

iM*

i M* Deck C* M2 C2 M′

2

Mq Cq M′

q

… M* Deck

QUF-Test game

Enck M1

Two games

QUF-Forge game

Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck C1 M′

1

Run For all . (Ok by gentle measurement lemma)

IdM′

iM*

i Cheat (=“Success”): i) IdM′

iM*

ii) ∅ succeeds for at least one i M* Deck C* M2 C2 M′

2

Mq Cq M′

q

… M* Deck

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that

Two games

QUF-Forge game QUF-Test game

Enck M1 Success: i) ∅ ii) M* ≠ | ⊥ ⟩ M1 C1 M2 C2 … Mq Cq Enck C* Enck C1 M′

1

Run For all . (Ok by gentle measurement lemma)

IdM′

iM*

i Cheat (=“Success”): i) IdM′

iM*

ii) ∅ succeeds for at least one i M* Deck C* M2 C2 M′

2

Mq Cq M′

q

… M* Deck

Quantum (plaintext) unforgeability — Definition

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that ⟹

• implies IND-CPA, ok because authentication encryption (Barnum et al. 2002).

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that

• classical restriction is equivalent to authenticated encryption

⟹

• implies IND-CPA, ok because authentication encryption (Barnum et al. 2002).

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that

• classical restriction is equivalent to authenticated encryption
• can be upgraded to quantum ciphertext authentication:

⟹

• implies IND-CPA, ok because authentication encryption (Barnum et al. 2002).

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that

• classical restriction is equivalent to authenticated encryption
• can be upgraded to quantum ciphertext authentication:

✴ possible via lemma: any quantum encryption function can be implemented

by classical sampling and unitary transformation ⟹

• implies IND-CPA, ok because authentication encryption (Barnum et al. 2002).

Quantum (plaintext) unforgeability — Definition

(KeyGen, Enc, Dec) 𝒝 ℙ [𝒝 wins QUF − forge] − ℙ [𝒝 wins QUF − test] ≤ negl(n) Definition (Quantum plaintext unforgeability): A quantum encryption scheme has unforgeable plaintexts, if for all QPT adversaries it holds that

• classical restriction is equivalent to authenticated encryption
• can be upgraded to quantum ciphertext authentication:

✴ possible via lemma: any quantum encryption function can be implemented

by classical sampling and unitary transformation

✴ use identity test for quantum part and save a copy of classical randomness

⟹

• implies IND-CPA, ok because authentication encryption (Barnum et al. 2002).

What I couldn’t explain in 17 min…

What I couldn’t explain in 17 min…

QIND-CCA2: Use identity test to detect challenge decryption, again by comparing two games

What I couldn’t explain in 17 min…

QIND-CCA2: Use identity test to detect challenge decryption, again by comparing two games quantum authenticated encryption? Could define as QUF+QIND-CCA2, but…

What I couldn’t explain in 17 min…

QIND-CCA2: Use identity test to detect challenge decryption, again by comparing two games quantum authenticated encryption? Could define as QUF+QIND-CCA2, but… …alternative real vs. ideal characterization (Shrimpton, 2004) is made for the identity testing technique!

What I couldn’t explain in 17 min…

QIND-CCA2: Use identity test to detect challenge decryption, again by comparing two games quantum authenticated encryption? Could define as QUF+QIND-CCA2, but… …alternative real vs. ideal characterization (Shrimpton, 2004) is made for the identity testing technique! separate definition: QAE

⟹

What I couldn’t explain in 17 min…

QIND-CCA2: Use identity test to detect challenge decryption, again by comparing two games quantum authenticated encryption? Could define as QUF+QIND-CCA2, but… …alternative real vs. ideal characterization (Shrimpton, 2004) is made for the identity testing technique! separate definition: QAE

⟹

simple construction from pseudorandom functions and unitary 2-designs

Taxonomy of quantum security

new notions

Conclusion

• Generalizing authenticity and integrity security notions (and adaptive CCA security) to

quantum is complicated by the fact that states from different stages of an algorithm cannot be compared

• Divide and conquer! If it is impossible to check two properties in one game, use two

(indistinguishable) games!

• That way we get quantum versions of the integrity notions used in modern crypto.
• They can be fulfilled and have nice relationships.
• Is QAE=QUF+QIND-CCA2?
• Relationship to quantum world notions?

What’s left to do?