Formal Verification of Quantum Cryptography Dominique Unruh University of Tartu.

Slides:

Advertisements

Similar presentations

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Advertisements

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)

Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Cryptography and Network Security

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Week three!.  8 groups of 2  6 rounds  Ancient cryptosystems  Newer cryptosystems  Modern cryptosystems  Encryption and decryptions  Math  Security.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Announcements: 1. Congrats on reaching the halfway point once again! 2. Reminder: HW5 due tomorrow, HW6 due Tuesday after break 3. Term project groups.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Matthew Guidry. The Fundamentals of Cryptography  One of the fundamentals of cryptography is that keys selected for various protocols that are computationally.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

ASYMMETRIC CIPHERS.

Public Key Model 8. Cryptography part 2.

Dominique Unruh 3 September 2012 Quantum Cryptography Dominique Unruh.

Lecture 7 Discrete Logarithms

Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Workshop on Post-Quantum Security Models Paris, France Tuesday,

Network Security Lecture 11 Presented by: Dr. Munam Ali Shah.

Chapter 21 Public-Key Cryptography and Message Authentication.

1 Public-Key Cryptography and Message Authentication.

David Westenberger Lucas Zurek. What’s Happening Now? Silicon-based Computation – Moore’s Law Transistors Physical limitation Then what’s next?

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography and Network Security (CS435) Part One (Introduction)

Michele Mosca Canada Research Chair in Quantum Computation 27 May 2006 Introduction to quantum technologies: quantum computers, quantum teleporters & cryptography.

1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Overview of Cryptography & Its Applications

Quantum computing, teleportation, cryptography Computing Teleportation Cryptography.

Exam 1 Review CS461/ECE422 Fall Exam guidelines A single page of supplementary notes is allowed  8.5x11. Both sides. Write as small as you like.

Analysing current generation cryptographic techniques in securing a tamper correcting application Wayne Gartner 3 rd September 2010.

Elliptic Curve Cryptography

Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Tropical QKD Waterloo, ON, Canada Wednesday, 16 June 2010.

Faster Implementation of Modular Exponentiation in JavaScript

7. Key Length Public key length Kim Hyoung-Shick.

Non-interactive quantum zero-knowledge proofs

Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.

Cryptography issues – elliptic curves Presented by Tom Nykiel.

Lecture 9 Elliptic Curves. In 1984, Hendrik Lenstra described an ingenious algorithm for factoring integers that relies on properties of elliptic curves.

Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.

Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.

Fang Song IQC, University of Waterloo -- “Quantum-Friendly” Reductions.

Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

INCS 741: Cryptography Overview and Basic Concepts.

Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.

Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.

A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.

Cryptography Deffie hellman. organization Foundations Symmetric key Symmetric key weaknesses Assymmetric key Deffie hellman – key exchange RSA – public.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

D. Cheung – IQC/UWaterloo, Canada D. K. Pradhan – UBristol, UK

Quantum Cryptography Christian Schaffner ICT OPEN 2017

RSA and El Gamal Cryptosystems

Handbook of Applied Cryptography - CH8, Public-Key Encryption

Cryptographic protocols 2014, Lecture 2 assumptions and reductions

Cryptography and Security Fall 2009 Steve Lai

Cryptography Lecture 24.

Quantum-security of commitment schemes and hash functions

Chapter -5 PUBLIC-KEY CRYPTOGRAPHY AND RSA

Post-Quantum Security of Fiat-Shamir

Collapse-binding quantum commitments without random oracles

Cryptography Lecture 26.

Presentation transcript:

Formal Verification of Quantum Cryptography Dominique Unruh University of Tartu

Outline Quantum crypto: – What and why? – Challenges. Verification of quantum crypto – Motivation and challenges – Current work Dominique Unruh Verification of Quantum Crypto2

What is quantum cryptography? Dominique Unruh Verification of Quantum Crypto3 Cryptography involving quantum mechanics Security against quantum computers Using quantum mechanics in crypto protocols

What is quantum mechanics? Classical world Everything is in a well-defined state You can observe the state of a system Quantum world Things can be in “superposition” of several classical states Observation make the system jump into one possibility. Dominique Unruh Verification of Quantum Crypto4 ON OFF left right x=5 x=6 15% OFF + 85% ON x=5 but also a bit 6 What is x? Aha, 5. Where is my sock? Aha. Left foot. What is x? Aha, 5 Aha, 6

QM and computers Quantum mechanics used routinely in technology – Transistors are based on quantum effects But “hidden” from the user – A transistor implements a “classical” on/off switch – Programs can treat all variables as having definite values at any time Dominique Unruh Verification of Quantum Crypto5

Quantum computers Computer is in many states: “Quantum parallelism” Can be exploited – Under very specific conditions! We can: – Compute discrete logarithms (breaks ElGamal etc.) – Factor large integers (breaks RSA etc.) – Reduce the time for brute force attacks to the square root Dominique Unruh Verification of Quantum Crypto6

If quantum computers were here… Dominique Unruh Verification of Quantum Crypto7 ElGamal, RSA, elliptic curve crypto Lattice-based crypto, McEliece etc. Common symmetric crypto (AES etc.) All commonly used public key crypto: BROKEN Candidates for replacements: Exist, but not as well-studied Symmetric crypto: Double the key length! If quantum computers were available today… … we would be screwed.

The threat today Quantum computers do not exist Unclear when If we don’t start research now, major disaster when they come Research & awareness: now! Dominique Unruh Verification of Quantum Crypto8 “Post-quantum cryptography” (classical crypto, quantum-secure)

Quantum Protocols Use quantum communication to make impossible tasks feasible Best known example: Unconditionally secure key distribution Possible today! (No quantum computer needed.) (Not the main focus of this talk.) Dominique Unruh Verification of Quantum Crypto9

Post-quantum cryptography What must be done? 1.Identify assumptions that are not quantum- broken (e.g., lattice-based crypto, not RSA) 2.Build cryptosystems based on those 3.Prove security Dominique Unruh Verification of Quantum Crypto10 Needs quantum know-how/techniques Possible without “quantum literacy”?

The post-quantum fallacy Dominique Unruh Verification of Quantum Crypto11

Why is the fallacy wrong? Dominique Unruh Verification of Quantum Crypto12

Summary (so far) Post-quantum crypto: – Security of classical protocols against quantum attacks Finding quantum hard assumptions: Not enough Need quantum proof techniques  “Normal” cryptographers cannot verify their own schemes! Dominique Unruh Verification of Quantum Crypto13

Quantum Crypto & Verification Dominique Unruh Verification of Quantum Crypto14 Formal methods & security Symbolic models For classical protocols For quantum protocols Computational crypto Post-quantum crypto “Classical” proofs “Quantum” proofs Quantum protocols Nothing to do (?) ??? Existing tools? New languages and logics

Post-quantum crypto verification (computational / classical proto / quantum adv) Tools exist for computational verification CertiCrypt (relational Hoare) EasyCrypt (relational Hoare, higher level) CryptoVerif (rewriting, automated) Could those be quantum-sound? Dominique Unruh Verification of Quantum Crypto15

Quantum soundness of EasyCrypt Dominique Unruh Verification of Quantum Crypto16

Why EasyCrypt fails… Dominique Unruh Verification of Quantum Crypto17

“QuEasyCrypt” (work in progress…) Quantum language for crypto games – Follows EasyCrypt, no surprises Quantum Hoare Logic Quantum Relational Hoare Logic – Same intuition as probabilistic RHL – But semantics are quantum  rules must be refined Dominique Unruh Verification of Quantum Crypto18

Quantum Hoare Logic Dominique Unruh Verification of Quantum Crypto19

Classical Relational Hoare Logic Dominique Unruh Verification of Quantum Crypto20

Classical Relational Hoare Logic Dominique Unruh Verification of Quantum Crypto21 project to first project to second

Quantum Relational Hoare Logic? Dominique Unruh Verification of Quantum Crypto22

Quantum Relational Hoare Logic? Dominique Unruh Verification of Quantum Crypto23 project to first project to second project to first project to second

QuEasyCrypt – the future If you can use EasyCrypt, you can use QuEasyCrypt – Get post-quantum verification for free (when classical proof is quantum-sound) Verification of quantum protocols: – Should be possible – Time will show Dominique Unruh Verification of Quantum Crypto24

Summary Dominique Unruh Verification of Quantum Crypto25 Formal methods & security Symbolic models For classical protocols For quantum protocols Computational crypto Post-quantum crypto “Classical” proofs “Quantum” proofs Quantum protocols Nothing to do (?) ??? Existing tools? New languages and logics QuEasyCrypt?

Dominique Unruh Verification of Quantum Crypto26 Q? uestions? (Or catch me for offline discussion…)

I thank for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa Logo soup