Unforgeable Quantum Encryption Gorjan Alagic 1 Tommaso Gagliardoni 2 - - PowerPoint PPT Presentation

Unforgeable Quantum Encryption

Gorjan Alagic1 Tommaso Gagliardoni2 Christian Majenz3

1 QuICS, University of Maryland, and NIST, USA 2 IBM Research Zurich, Switzerland 3 University of Amsterdam, and QuSoft, CWI, The Netherlands

May 3rd, 2018 Tel Aviv, Israel

1

It’s 1968...

2

It’s 1968...

2

It’s 1968...

IBM System/360 Model 85: up to 4 MiB memory!!!

2

It’s 1968...

IBM System/360 Model 85: up to 4 MiB memory!!! 50 years change things a lot!!!

2

Meanwhile, in 2018...

IBM Q: 50 superconducting qubits QC

3

The Very Likely Future Timeline of QC...

4

The Very Likely Future Timeline of QC...

4

The Very Likely Future Timeline of QC...

4

The Very Likely Future Timeline of QC...

4

The Very Likely Future Timeline of QC...

4

The Very Likely Future Timeline of QC...

But remember: 50 years change things a lot!!!

4

The Very Likely Future Timeline of QC...

But remember: 50 years change things a lot!!! Scenario: honest and malicious parties alike have access to quantum computers and quantum communication networks. Need to exchange and secure data over a ‘quantum Internet’.

4

Quantum Encryption

Secret-key quantum encryption scheme: plaintext and ciphertext are arbitrary quantum states (but key is still classical)

5

Quantum Encryption

Secret-key quantum encryption scheme: plaintext and ciphertext are arbitrary quantum states (but key is still classical) Example: Quantum One-Time Pad (QOTP)

5

Quantum Encryption

Secret-key quantum encryption scheme: plaintext and ciphertext are arbitrary quantum states (but key is still classical) Example: Quantum One-Time Pad (QOTP)

5

Quantum Encryption

Secret-key quantum encryption scheme: plaintext and ciphertext are arbitrary quantum states (but key is still classical) Example: Quantum One-Time Pad (QOTP)

5

Quantum Encryption

Secret-key quantum encryption scheme: plaintext and ciphertext are arbitrary quantum states (but key is still classical) Example: Quantum One-Time Pad (QOTP)

5

Quantum Encryption

Secret-key quantum encryption scheme: plaintext and ciphertext are arbitrary quantum states (but key is still classical) Example: Quantum One-Time Pad (QOTP)

5

Security for Quantum Encryption

[BJ15] introduce quantum indistinguishability under chosen-plaintext attack (QIND-CPA)

6

Security for Quantum Encryption

[BJ15] introduce quantum indistinguishability under chosen-plaintext attack (QIND-CPA)

6

Security for Quantum Encryption

[BJ15] introduce quantum indistinguishability under chosen-plaintext attack (QIND-CPA)

6

Security for Quantum Encryption

[BJ15] introduce quantum indistinguishability under chosen-plaintext attack (QIND-CPA)

6

Security for Quantum Encryption

[BJ15] introduce quantum indistinguishability under chosen-plaintext attack (QIND-CPA)

6

Security for Quantum Encryption

[BJ15] introduce quantum indistinguishability under chosen-plaintext attack (QIND-CPA)

6

Security for Quantum Encryption

[ABF+16] introduce quantum indistinguishability under non-adaptive chosen-ciphertext attack (QIND-CCA1)

7

Security for Quantum Encryption

[ABF+16] introduce quantum indistinguishability under non-adaptive chosen-ciphertext attack (QIND-CCA1)

7

Security for Quantum Encryption

[ABF+16] introduce quantum indistinguishability under non-adaptive chosen-ciphertext attack (QIND-CCA1) Theorem [ABF+16] QIND-CCA1 schemes from quantum-resistant OWFs.

7

Security for Quantum Encryption

[ABF+16] introduce quantum indistinguishability under non-adaptive chosen-ciphertext attack (QIND-CCA1) Theorem [ABF+16] QIND-CCA1 schemes from quantum-resistant OWFs.

7

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky!

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥)

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

• what does it mean that two states are “equal”?

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

• what does it mean that two states are “equal”?
• how to check that without destroying the states?

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

• what does it mean that two states are “equal”?
• how to check that without destroying the states?

Defining QIND-CCA2 open problem for a while [BZ12, BJ15, GHS16]

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

• what does it mean that two states are “equal”?
• how to check that without destroying the states?

Defining QIND-CCA2 open problem for a while [BZ12, BJ15, GHS16] Similar problem for defining INT-CTXT (unforgeability/integrity)

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

• what does it mean that two states are “equal”?
• how to check that without destroying the states?

Defining QIND-CCA2 open problem for a while [BZ12, BJ15, GHS16] Similar problem for defining INT-CTXT (unforgeability/integrity) Existing notions of quantum authentication [DNS, GYZ] have limitations

8

The Problem With Quantum IND-CCA2

Defining quantum IND-CCA2 is tricky! Classically: must impose that no decryption queries are accepted on the challenge ciphertext (decryption oracle replies ⊥) Quantumly: how to enforce that?

• what does it mean that two states are “equal”?
• how to check that without destroying the states?

Defining QIND-CCA2 open problem for a while [BZ12, BJ15, GHS16] Similar problem for defining INT-CTXT (unforgeability/integrity) Existing notions of quantum authentication [DNS, GYZ] have limitations What about quantum authenticated encryption?

8

Overview of Results

In this work:

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

• Definition of QIND-CCA2

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

• Definition of QIND-CCA2
• Definition of Quantum Authenticated Encryption (QAE)

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

• Definition of QIND-CCA2
• Definition of Quantum Authenticated Encryption (QAE)
• Relationships amongst all these notions and the known ones

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

• Definition of QIND-CCA2
• Definition of Quantum Authenticated Encryption (QAE)
• Relationships amongst all these notions and the known ones
• Relationships to the classical counterparts when restricted to

classical messages

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

• Definition of QIND-CCA2
• Definition of Quantum Authenticated Encryption (QAE)
• Relationships amongst all these notions and the known ones
• Relationships to the classical counterparts when restricted to

classical messages

• Separations

9

Overview of Results

In this work:

• First definition of information-theoretical one-time quantum

ciphertext authentication (QCA)

• Definition of Quantum Ciphertext Unforgeability (generalizes

INT-CTXT to the quantum setting)

• Definition of QIND-CCA2
• Definition of Quantum Authenticated Encryption (QAE)
• Relationships amongst all these notions and the known ones
• Relationships to the classical counterparts when restricted to

classical messages

• Separations
• Constructions

9

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Integrity of Ciphertexts (INT-CTXT)

10

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat]

11

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat] Defining the quantum analogue of UF-Forge and UF-Cheat:

11

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat] Defining the quantum analogue of UF-Forge and UF-Cheat:

• defining QUF-Forge easy (just define |⊥)

11

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat] Defining the quantum analogue of UF-Forge and UF-Cheat:

• defining QUF-Forge easy (just define |⊥)
• to define QUF-Cheat we need to detect ciphertext replays; this is

potentially easier than testing equality!

11

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat] Defining the quantum analogue of UF-Forge and UF-Cheat:

• defining QUF-Forge easy (just define |⊥)
• to define QUF-Cheat we need to detect ciphertext replays; this is

potentially easier than testing equality! Theorem [AM17] (informal) For any symmetric-key quantum encryption scheme:

11

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat] Defining the quantum analogue of UF-Forge and UF-Cheat:

• defining QUF-Forge easy (just define |⊥)
• to define QUF-Cheat we need to detect ciphertext replays; this is

potentially easier than testing equality! Theorem [AM17] (informal) For any symmetric-key quantum encryption scheme:

• the encryption can be decomposed as: pad-then-transform

11

Quantum Unforgeability (QUF)

Proposition A (classical) scheme is INT-CTXT iff ∀ A = ⇒ Pr[A wins UF-Forge] ≈ Pr[A wins UF-Cheat] Defining the quantum analogue of UF-Forge and UF-Cheat:

• defining QUF-Forge easy (just define |⊥)
• to define QUF-Cheat we need to detect ciphertext replays; this is

potentially easier than testing equality! Theorem [AM17] (informal) For any symmetric-key quantum encryption scheme:

• the encryption can be decomposed as: pad-then-transform
• the “pad” is a classical tag, and is recovered during decryption

11

Detecting Ciphertext Replays

Idea:

12

Detecting Ciphertext Replays

Idea:

1 when A asks an encryption query, do not reply with the

correct ciphertext!

12

Detecting Ciphertext Replays

Idea:

1 when A asks an encryption query, do not reply with the

correct ciphertext!

2 instead, generate an element of a random basis, encrypt it

using classical tag t and reply with such encryption; store t and classical representation of the element

12

Detecting Ciphertext Replays

Idea:

1 when A asks an encryption query, do not reply with the

correct ciphertext!

2 instead, generate an element of a random basis, encrypt it

using classical tag t and reply with such encryption; store t and classical representation of the element

3 quantumly, authentication implies encryption: therefore, if a

scheme is unforgeable, A cannot detect this replacement

12

Detecting Ciphertext Replays

Idea:

1 when A asks an encryption query, do not reply with the

correct ciphertext!

2 instead, generate an element of a random basis, encrypt it

using classical tag t and reply with such encryption; store t and classical representation of the element

3 quantumly, authentication implies encryption: therefore, if a

scheme is unforgeable, A cannot detect this replacement

4 when decrypting, first check whether the recovered tag

matches the t recorded

12

Detecting Ciphertext Replays

Idea:

1 when A asks an encryption query, do not reply with the

correct ciphertext!

2 instead, generate an element of a random basis, encrypt it

using classical tag t and reply with such encryption; store t and classical representation of the element

3 quantumly, authentication implies encryption: therefore, if a

scheme is unforgeable, A cannot detect this replacement

4 when decrypting, first check whether the recovered tag

matches the t recorded

5 if so, measure the recovered plaintext in the recorded base and

check whether this is the previously generated element

12

Detecting Ciphertext Replays

Idea:

1 when A asks an encryption query, do not reply with the

correct ciphertext!

2 instead, generate an element of a random basis, encrypt it

using classical tag t and reply with such encryption; store t and classical representation of the element

3 quantumly, authentication implies encryption: therefore, if a

scheme is unforgeable, A cannot detect this replacement

4 when decrypting, first check whether the recovered tag

matches the t recorded

5 if so, measure the recovered plaintext in the recorded base and

check whether this is the previously generated element

6 if so, congratulations: you have just detected a ciphertext

replay!

12

Properties of QUF

Quantum Unforgeability of Ciphertexts

A scheme is QUF iff ∀ QPT adversary A = ⇒ Pr[A wins QUF-Forge] ≈ Pr[A wins QUF-Cheat]

13

Properties of QUF

Quantum Unforgeability of Ciphertexts

A scheme is QUF iff ∀ QPT adversary A = ⇒ Pr[A wins QUF-Forge] ≈ Pr[A wins QUF-Cheat]

Theorem

QUF = ⇒ QIND-CPA

13

Properties of QUF

Quantum Unforgeability of Ciphertexts

A scheme is QUF iff ∀ QPT adversary A = ⇒ Pr[A wins QUF-Forge] ≈ Pr[A wins QUF-Cheat]

Theorem

QUF = ⇒ QIND-CPA

• therefore QUF is not the “quantum analogue” of INT-CTXT

13

Properties of QUF

Quantum Unforgeability of Ciphertexts

A scheme is QUF iff ∀ QPT adversary A = ⇒ Pr[A wins QUF-Forge] ≈ Pr[A wins QUF-Cheat]

Theorem

QUF = ⇒ QIND-CPA

• therefore QUF is not the “quantum analogue” of INT-CTXT
• this is a typically quantum property: in the quantum world

authentication implies encryption

13

Properties of QUF

Quantum Unforgeability of Ciphertexts

A scheme is QUF iff ∀ QPT adversary A = ⇒ Pr[A wins QUF-Forge] ≈ Pr[A wins QUF-Cheat]

Theorem

QUF = ⇒ QIND-CPA

• therefore QUF is not the “quantum analogue” of INT-CTXT
• this is a typically quantum property: in the quantum world

authentication implies encryption Theorem

The classical restriction of QUF is equivalent to AE

13

Properties of QUF

Quantum Unforgeability of Ciphertexts

A scheme is QUF iff ∀ QPT adversary A = ⇒ Pr[A wins QUF-Forge] ≈ Pr[A wins QUF-Cheat]

Theorem

QUF = ⇒ QIND-CPA

• therefore QUF is not the “quantum analogue” of INT-CTXT
• this is a typically quantum property: in the quantum world

authentication implies encryption Theorem

The classical restriction of QUF is equivalent to AE

• however, we show that QUF is not the “right” quantum

analogue of AE either (spoiler: it does not imply QIND-CCA2)

13

Quantum IND-CCA2

For defining QIND-CCA2: similar idea

14

Quantum IND-CCA2

For defining QIND-CCA2: similar idea

• Define an unrestricted QCCA2-Test game, where no restrictions are

imposed on the decryption oracle

14

Quantum IND-CCA2

For defining QIND-CCA2: similar idea

• Define an unrestricted QCCA2-Test game, where no restrictions are

imposed on the decryption oracle

• Define a QCCA2-Fake game, where the adversary wins iff a

decryption of the challenge ciphertext is detected

14

Properties of QIND-CCA2

Quantum IND-CCA2

A scheme is QIND-CCA2 iff ∀ QPT adversary A = ⇒ Pr[A wins QCCA2-Test] − Pr[A wins QCCA2-Fake] ≤ negligible

15

Properties of QIND-CCA2

Quantum IND-CCA2

A scheme is QIND-CCA2 iff ∀ QPT adversary A = ⇒ Pr[A wins QCCA2-Test] − Pr[A wins QCCA2-Fake] ≤ negligible

Theorem

QIND-CCA2 = ⇒ QIND-CCA1

15

Properties of QIND-CCA2

Quantum IND-CCA2

A scheme is QIND-CCA2 iff ∀ QPT adversary A = ⇒ Pr[A wins QCCA2-Test] − Pr[A wins QCCA2-Fake] ≤ negligible

Theorem

QIND-CCA2 = ⇒ QIND-CCA1

Theorem

The classical restriction of QIND-CCA2 is equivalent to IND-CCA2

15

Quantum Authenticated Encryption (QAE)

Idea: use replay-detecting on a real-VS-ideal approach. Quantum Authenticated Encryption (QAE) A scheme is QAE iff ∀ A = ⇒ Pr[A distinguishes QAE-Real from QAE-Ideal] is at most negligibly better than guessing.

16

Quantum Authenticated Encryption (QAE)

Idea: use replay-detecting on a real-VS-ideal approach. Quantum Authenticated Encryption (QAE) A scheme is QAE iff ∀ A = ⇒ Pr[A distinguishes QAE-Real from QAE-Ideal] is at most negligibly better than guessing. QAE has all the nice properties you would expect:

16

Quantum Authenticated Encryption (QAE)

Idea: use replay-detecting on a real-VS-ideal approach. Quantum Authenticated Encryption (QAE) A scheme is QAE iff ∀ A = ⇒ Pr[A distinguishes QAE-Real from QAE-Ideal] is at most negligibly better than guessing. QAE has all the nice properties you would expect: Theorem QAE = ⇒ QIND-CCA2

16

Quantum Authenticated Encryption (QAE)

Idea: use replay-detecting on a real-VS-ideal approach. Quantum Authenticated Encryption (QAE) A scheme is QAE iff ∀ A = ⇒ Pr[A distinguishes QAE-Real from QAE-Ideal] is at most negligibly better than guessing. QAE has all the nice properties you would expect: Theorem QAE = ⇒ QIND-CCA2 Theorem QAE = ⇒ QUF

16

Quantum Authenticated Encryption (QAE)

Idea: use replay-detecting on a real-VS-ideal approach. Quantum Authenticated Encryption (QAE) A scheme is QAE iff ∀ A = ⇒ Pr[A distinguishes QAE-Real from QAE-Ideal] is at most negligibly better than guessing. QAE has all the nice properties you would expect: Theorem QAE = ⇒ QIND-CCA2 Theorem QAE = ⇒ QUF Theorem The classical restriction of QAE is equivalent to AE (but: QAE is equivalent to QUF only on the classical level)

16

Other Results

• information-theoretical definition of many-times ciphertext

authentication (QCA)...

17

Other Results

• information-theoretical definition of many-times ciphertext

authentication (QCA)...

• ... and its computational variant cQCA...

17

Other Results

• information-theoretical definition of many-times ciphertext

authentication (QCA)...

• ... and its computational variant cQCA...
• ... and relations to the other notions

17

Other Results

• information-theoretical definition of many-times ciphertext

authentication (QCA)...

• ... and its computational variant cQCA...
• ... and relations to the other notions
• separations between all these notions

17

Other Results

• information-theoretical definition of many-times ciphertext

authentication (QCA)...

• ... and its computational variant cQCA...
• ... and relations to the other notions
• separations between all these notions
• secure constructions (ony assuming quantum-secure OWF!)

17

Other Results

• information-theoretical definition of many-times ciphertext

authentication (QCA)...

• ... and its computational variant cQCA...
• ... and relations to the other notions
• separations between all these notions
• secure constructions (ony assuming quantum-secure OWF!)

17

Conclusions

Take-home message (TL;DR)

• complete and coherent hierarchy of security notions for

quantum symmetric-key encryption schemes, including the longstanding quantum IND-CCA2

• quantum authenticated encryption (QAE) as strongest form of

quantum security

• constructions achievable with minimal security assumptions

(existence of quantum-resistant OWF)

• 2q-wise independent functions not necessary

18

Conclusions

Take-home message (TL;DR)

• complete and coherent hierarchy of security notions for

quantum symmetric-key encryption schemes, including the longstanding quantum IND-CCA2

• quantum authenticated encryption (QAE) as strongest form of

quantum security

• constructions achievable with minimal security assumptions

(existence of quantum-resistant OWF)

• 2q-wise independent functions not necessary

PRETTY COOL :-)

18

End Of This Talk

Thanks for your attention! tog@zurich.ibm.com

19