Quantum cryptography: key distribution and beyond

Uniquely among the sciences, quantum cryptography has driven both foundational research as well as practical real-life applications. We review the progress of quantum cryptography in the last decade, covering quantum key distribution and other applications.Comment: It's a review on quantum cryptography and it is not restricted to QK

Dependable and Scalable Public Ledger for Policy Compliance, a Blockchain Based Approach

Policies and regulations, such as the European Union General Data Protection Regulation (EU GDPR), have been enforced to protect personal data from abuse during storage and processing. We design and implement a prototype scheme that could 1) provide a public ledger of policy compliance to help the public make informative decisions when choosing data services; 2) provide support to the organizations for identifying violations and improve their ability of compliance. Honest organizations could then benefit from their positive records on the public ledger. To address the scalability problem inherent in the Blockchain-based systems, we develop algorithms and leverage state channels to implement an on-chain-hash-off-chain data structure. We identify the verification of the information from the external world as a critical problem when using Blockchains as public ledgers, and address this problem by the incentive-based trust model implied by state channels. We propose the Verifiable Off-Chain Message Channel as the integrated solution for leveraging blockchain technology as a general-purpose recording mechanism and support our thesis with performance experiments. Finally, we suggest a sticky policy mechanism as the evidence source for the public ledger to monitor cross-boundary policy compliance

New security notions and feasibility results for authentication of quantum data

We give a new class of security definitions for authentication in the quantum setting. These definitions capture and strengthen existing definitions of security against quantum adversaries for both classical message authentication codes (MACs) and well as full quantum state authentication schemes. The main feature of our definitions is that they precisely characterize the effective behavior of any adversary when the authentication protocol accepts, including correlations with the key. Our definitions readily yield a host of desirable properties and interesting consequences; for example, our security definition for full quantum state authentication implies that the entire secret key can be re-used if the authentication protocol succeeds. Next, we present several protocols satisfying our security definitions. We show that the classical Wegman-Carter authentication scheme with 3-universal hashing is secure against superposition attacks, as well as adversaries with quantum side information. We then present conceptually simple constructions of full quantum state authentication. Finally, we prove a lifting theorem which shows that, as long as a protocol can securely authenticate the maximally entangled state, it can securely authenticate any state, even those that are entangled with the adversary. Thus, this shows that protocols satisfying a fairly weak form of authentication security automatically satisfy a stronger notion of security (in particular, the definition of Dupuis, et al (2012)).Comment: 50 pages, QCrypt 2016 - 6th International Conference on Quantum Cryptography, added a new lifting theorem that shows equivalence between a weak form of authentication security and a stronger notion that considers side informatio

Input-shrinking functions: theory and application

In this thesis, we contribute to the emerging field of the Leakage-Resilient Cryptography by studying the problem of secure data storage on hardware that may leak information, introducing a new primitive, a leakage-resilient storage, and showing two different constructions of such storage scheme provably secure against a class of leakage functions that can depend only on some restricted part of the memory and against a class of computationally weak leakage functions, e.g. functions computable by small circuits, respectively. Our results come with instantiations and analysis of concrete parameters. Furthermore, as second contribution, we present our implementation in C programming language, using the cryptographic library of the OpenSSL project, of a two-party Authenticated Key Exchange (AKE) protocol, which allows a client and a server, who share a huge secret file, to securely compute a shared key, providing client-to-server authentication, also in the presence of active attackers. Following the work of Cash et al. (TCC 2007), we based our construction on a Weak Key Exchange (WKE) protocol, developed in the BRM, and a Password-based Authenticated Key Exchange (PAKE) protocol secure in the Universally Composable (UC) framework. The WKE protocol showed by Cash et al. uses an explicit construction of averaging sampler, which uses less random bits than the random choice but does not seem to be efficiently implementable in practice. In this thesis, we propose a WKE protocol similar but simpler than that one of Cash et al.: our protocol uses more randomness than the Cash et al.'s one, as it simply uses random choice instead of averaging sampler, but we are able to show an efficient implementation of it. Moreover, we formally adapt the security analysis of the WKE protocol of Cash et al. to our WKE protocol. To complete our AKE protocol, we implement the PAKE protocol showed secure in the UC framework by Abdalla et al. (CT-RSA 2008), which is more efficient than the Canetti et al.'s UC-PAKE protocol (EuroCrypt 2005) used in Cash et al.'s work. In our implementation of the WKE protocol, to achieve small constant communication complexity and amount of randomness, we rely on the Random Oracle (RO) model. However, we would like to note that in our implementation of the AKE protocol we need also a UC-PAKE protocol which already relies on RO, as it is impossible to achieve UC-PAKE in the standard model. In our work we focus not only on the theoretical aspects of the area, providing formal models and proofs, but also on the practical ones, analyzing instantiations, concrete parameters and implementation of the proposed solutions, to contribute to bridge the gap between theory and practice in this field

The art of post-truth in quantum cryptography

L’établissement de clé quantique (abrégé QKD en anglais) permet à deux participants distants, Alice et Bob, d’établir une clé secrète commune (mais aléatoire) qui est connue uniquement de ces deux personnes (c’est-à-dire inconnue d’Ève et de tout autre tiers parti). La clé secrète partagée est inconditionnellement privée et peut être plus tard utilisée, par Alice et Bob, pour transmettre des messages en toute confidentialité, par exemple sous la forme d’un masque jetable. Le protocole d’établissement de clé quantique garantit la confidentialité inconditionnelle du message en présence d’un adversaire (Ève) limité uniquement par les lois de la mécanique quantique, et qui ne peut agir sur l’information que se partagent Alice et Bob que lors de son transit à travers des canaux classiques et quantiques. Mais que se passe-t-il lorsque Ève a le pouvoir supplémentaire de contraindre Alice et/ou Bob à révéler toute information, jusqu’alors gardée secrète, générée lors de l’exécution (réussie) du protocole d’établissement de clé quantique (éventuellement suite à la transmission entre Alice et Bob d’un ou plusieurs messages chiffrés classique à l’aide de cette clé), de manière à ce qu’Ève puisse reproduire l’entièreté du protocole et retrouver la clé (et donc aussi le message qu’elle a chiffré) ? Alice et Bob peuvent-ils nier la création de la clé de manière plausible en révélant des informations mensongères pour qu’Ève aboutisse sur une fausse clé ? Les protocoles d’établissement de clé quantiques peuvent-ils tels quels garantir la possibilité du doute raisonnable ? Dans cette thèse, c’est sur cette énigme que nous nous penchons. Dans le reste de ce document, nous empruntons le point de vue de la théorie de l’information pour analyser la possibilité du doute raisonnable lors de l’application de protocoles d’établissement de clé quantiques. Nous formalisons rigoureusement différents types et degrés de doute raisonnable en fonction de quel participant est contraint de révéler la clé, de ce que l’adversaire peut demander, de la taille de l’ensemble de fausses clés qu’Alice et Bob peuvent prétendre établir, de quand les parties doivent décider de la ou des clés fictives, de quelle est la tolérance d’Ève aux événements moins probables, et du recours ou non à des hypothèses de calcul. Nous définissons ensuite rigoureusement une classe générale de protocoles d’établissement de clé quantiques, basée sur un canal quantique presque parfait, et prouvons que tout protocole d’établissement de clé quantique appartenant à cette classe satisfait la définition la plus générale de doute raisonnable : à savoir, le doute raisonnable universel. Nous en fournissons quelques exemples. Ensuite, nous proposons un protocole hybride selon lequel tout protocole QKD peut être au plus existentiellement déniable. De plus, nous définissons une vaste classe de protocoles d’établissement de clé quantiques, que nous appelons préparation et mesure, et prouvons l’impossibilité d’instiller lors de ceux-ci tout degré de doute raisonnable. Ensuite, nous proposons une variante du protocole, que nous appelons préparation et mesure floues qui offre un certain niveau de doute raisonnable lorsque Ève est juste. Par la suite, nous proposons un protocole hybride en vertu duquel tout protocole d’établissement de clé quantique ne peut offrir au mieux que l’option de doute raisonnable existentiel. Finalement, nous proposons une variante du protocole, que nous appelons mono-déniable qui est seulement Alice déniable ou Bob déniable (mais pas les deux).Quantum Key Establishment (QKD) enables two distant parties Alice and Bob to establish a common random secret key known only to the two of them (i.e., unknown to Eve and anyone else). The common secret key is information-theoretically secure. Later, Alice and Bob may use this key to transmit messages securely, for example as a one-time pad. The QKD protocol guarantees the confidentiality of the key from an information-theoretic perspective against an adversary Eve who is only limited by the laws of quantum theory and can act only on the signals as they pass through the classical and quantum channels. But what if Eve has the extra power to coerce Alice and/or Bob after the successful execution of the QKD protocol forcing either both or only one of them to reveal all their private information (possibly also after one or several (classical) ciphertexts encrypted with that key have been transmitted between Alice and Bob) then Eve could go through the protocol and obtain the key (hence also the message)? Can Alice and Bob deny establishment of the key plausibly by revealing fake private information and hence also a fake key? Do QKD protocols guarantee deniability for free in this case? In this Thesis, we investigate this conundrum. In the rest of this document, we take an information-theoretic perspective on deniability in quantum key establishment protocols. We rigorously formalize different levels and flavours of deniability depending on which party is coerced, what the adversary may ask, what is the size of the fake set that surreptitious parties can pretend to be established, when the parties should decide on the fake key(s), and what is the coercer’s tolerance to less likely events and possibly also computational assumptions. We then rigorously define a general class of QKD protocols, based on an almost-perfect quantum channel, and prove that any QKD protocol that belongs to this class satisfies the most general flavour of deniability, i.e.,universal deniability. Moreover, we define a broad class of QKD protocols, which we call prepare-and-measure, and prove that these protocols are not deniable in any level or flavour. Moreover, we define a class of QKD protocols, which we refer to as fuzzy prepare-andmeasure, that provides a certain level of deniability conditioned on Eve being fair. Furthermore, we propose a hybrid protocol under which any QKD protocol can be at most existentially deniable. Finally, we define a class of QKD protocols, which we refer to as mono-deniable, which is either Alice or Bob (but not both) deniable

The Security of Practical Quantum Key Distribution

Quantum key distribution (QKD) is the first quantum information task to reach the level of mature technology, already fit for commercialization. It aims at the creation of a secret key between authorized partners connected by a quantum channel and a classical authenticated channel. The security of the key can in principle be guaranteed without putting any restriction on the eavesdropper's power. The first two sections provide a concise up-to-date review of QKD, biased toward the practical side. The rest of the paper presents the essential theoretical tools that have been developed to assess the security of the main experimental platforms (discrete variables, continuous variables and distributed-phase-reference protocols).Comment: Identical to the published version, up to cosmetic editorial change

Attacking and securing Network Time Protocol

Network Time Protocol (NTP) is used to synchronize time between computer systems communicating over unreliable, variable-latency, and untrusted network paths. Time is critical for many applications; in particular it is heavily utilized by cryptographic protocols. Despite its importance, the community still lacks visibility into the robustness of the NTP ecosystem itself, the integrity of the timing information transmitted by NTP, and the impact that any error in NTP might have upon the security of other protocols that rely on timing information. In this thesis, we seek to accomplish the following broad goals: 1. Demonstrate that the current design presents a security risk, by showing that network attackers can exploit NTP and then use it to attack other core Internet protocols that rely on time. 2. Improve NTP to make it more robust, and rigorously analyze the security of the improved protocol. 3. Establish formal and precise security requirements that should be satisfied by a network time-synchronization protocol, and prove that these are sufficient for the security of other protocols that rely on time. We take the following approach to achieve our goals incrementally. 1. We begin by (a) scrutinizing NTP's core protocol (RFC 5905) and (b) statically analyzing code of its reference implementation to identify vulnerabilities in protocol design, ambiguities in specifications, and flaws in reference implementations. We then leverage these observations to show several off- and on-path denial-of-service and time-shifting attacks on NTP clients. We then show cache-flushing and cache-sticking attacks on DNS(SEC) that leverage NTP. We quantify the attack surface using Internet measurements, and suggest simple countermeasures that can improve the security of NTP and DNS(SEC). 2. Next we move beyond identifying attacks and leverage ideas from Universal Composability (UC) security framework to develop a cryptographic model for attacks on NTP's datagram protocol. We use this model to prove the security of a new backwards-compatible protocol that correctly synchronizes time in the face of both off- and on-path network attackers. 3. Next, we propose general security notions for network time-synchronization protocols within the UC framework and formulate ideal functionalities that capture a number of prevalent forms of time measurement within existing systems. We show how they can be realized by real-world protocols (including but not limited to NTP), and how they can be used to assert security of time-reliant applications-specifically, cryptographic certificates with revocation and expiration times. Our security framework allows for a clear and modular treatment of the use of time in security-sensitive systems. Our work makes the core NTP protocol and its implementations more robust and secure, thus improving the security of applications and protocols that rely on time

A Universally Composable Framework for the Privacy of Email Ecosystems

Email communication is amongst the most prominent online activities, and as such, can put sensitive information at risk. It is thus of high importance that internet email applications are designed in a privacy-aware manner and analyzed under a rigorous threat model. The Snowden revelations (2013) suggest that such a model should feature a global adversary, in light of the observational tools available. Furthermore, the fact that protecting metadata can be of equal importance as protecting the communication context implies that end-to-end encryption may be necessary, but it is not sufficient. With this in mind, we utilize the Universal Composability framework [Canetti, 2001] to introduce an expressive cryptographic model for email ``ecosystems\u27\u27 that can formally and precisely capture various well-known privacy notions (unobservability, anonymity, unlinkability, etc.), by parameterizing the amount of leakage an ideal-world adversary (simulator) obtains from the email functionality. Equipped with our framework, we present and analyze the security of two email constructions that follow different directions in terms of the efficiency vs. privacy tradeoff. The first one achieves optimal security (only the online/offline mode of the users is leaked), but it is mainly of theoretical interest; the second one is based on parallel mixing [Golle and Juels, 2004] and is more practical, while it achieves anonymity with respect to users that have similar amount of sending and receiving activity